[Box Backup] Question about certificates
Chris Wilson
boxbackup@fluffy.co.uk
Wed, 1 Aug 2007 19:25:00 +0100 (BST)
Hi Nuno,
On Wed, 1 Aug 2007, Nuno Fernandes wrote:
>>> Aparently bbstored-certs /etc/box/bbstored/certs init creates 2 root
>>> CAs (one for clients and the other for servers). Why does it create 2
>>> CAs?
>>
>> One is for validating servers, the other for validating clients. I
>> think servers are just accepted as valid if they present a valid
>> certificate signed by the server CA. For clients, the CN must match - I
>> think it must BACKUP-<account number> (without zeros at the beginning),
>> the certificate being signed by the client CA.
>
> Can't i use the same CA to validate servers and clients?
You can, but it's not secure. It allows one of your clients to pretend to
be a valid server for any other client.
If you really want to do that, just set the ServerCA (on the client) and
ClientCA (on the server) to point to the same certificate.
Cheers, Chris.
--
_____ __ _
\ __/ / ,__(_)_ | Chris Wilson <0000 at qwirx.com> - Cambs UK |
/ (_/ ,\/ _/ /_ \ | Security/C/C++/Java/Perl/SQL/HTML Developer |
\ _/_/_/_//_/___/ | We are GNU-free your mind-and your software |