Certificate Discussion

Maybe this high-level summary, focusing ONLY on certificates, might help someone.

Using instructions from these 3 pages:

One time per CA/Server:

  1. Set up a separate air-gapped CA machine (install boxbackup-server, run bbstored-certs ca init). From my CA .../ca/ directory:
    ./keys/clientRootCSR.pem     <-- a temporary certificate signing request generated in the process of producing the self-signed client CA certificate (clientCA.pem).
    ./keys/clientRootKey.pem     <-- the key associated with clientCA.pem (I think).
    ./roots/clientCA.pem         <-- the CA which signs all client certificates. The server requires a client's certificate to be signed by this CA, or will not allow it to connect. All servers must have a copy of clientCA.pem to verify this.
    ./roots/         <-- the serial number of the last certificate issued by the client CA. OpenSSL keeps this in a file to avoid issuing certificates with duplicate serial numbers.
    ./servers/<ServerNickName>-cert.pem    <-- the actual certificate issued to each client. Clients generate a key and CSR locally, send the CSR to the CA, which signs it (producing this certificate file as output) and returns it.
    * serverCA.pem, serverRootKey.pem, serverRootCSR.pem, as above but for servers. Clients require that any server which they connect to, presents a certificate signed by serverCA.pem. All clients must have a copy of serverCA.pem to verify this.
  • Maybe someone can explain each of those files for us?
  1. Set up the internet-connected Server machine (install boxbackup-server, run raidfile-config, bbstored-config). Send -csr.pem to CA.
  2. On the CA, sign the Server -csr.pem (bbstored-certs ca sign-server). Follow output instructions...(sorry I don't have them handy).
  3. On the Server, place the CA-signed server certificate as instructed by "What you need to do now..." from "bbstored-certs ca sign-server". From my /etc/boxbackup/bbstored.conf:
    CertificateFile = /etc/boxbackup/bbstored/<servernickname>-cert.pem  <-- Server public SSL cert, signed by CA, from CA "bbstored-certs ca sign-server"
    PrivateKeyFile = /etc/boxbackup/bbstored/<servernickname>-key.pem    <-- Server private SSL cert, from "bbstored-config"
    TrustedCAsFile = /etc/boxbackup/bbstored/clientCA.pem                <-- CA root cert(?), from CA "bbstored-certs ca init"
  • I believe that's true; someone please check.

Now you are ready to add one or more clients:

  1. On the Server, create a Client account (run bbstoreaccounts create). Inform Client of account number and server domain name or IP address.
  2. Set up the Client machine (run bbackupd-config). If you want to generate your own home-grown client certs with a different technique, I think you can do that at this point (For example, before running bbackupd-config, modify this line of that file by hand: "if(system("openssl genrsa -out $private_key 2048") != 0)", or use a completely different tool; I'm not sure what the limitations are (could one use elliptic curve?).). Send -csr.pem to CA (instructions say server admin).
  3. On CA machine, check -csr.pem account number (how?), then sign -csr.pem (bbstored-certs ca sign), then follow output instructions (send "CA root"(?) and client cert to Client).
  4. On Client machine, install CA root and client cert as instructed. From my client /etc/box/bbackupd.conf (notice it's /etc/box/, not /etc/boxbackup/):
    KeysFile = /etc/box/bbackupd/<AcctNo>-FileEncKeys.raw  <-- Client private encryption key (from bbackupd-config, or home-grown)
    PrivateKeyFile = /etc/box/bbackupd/<AcctNo>-key.pem    <-- Client private SSL cert (from bbackupd-config, or home-grown)
    CertificateFile = /etc/box/bbackupd/<AcctNo>-cert.pem  <-- Client public SSL cert (from CA, bbstored-certs ca sign)
    TrustedCAsFile = /etc/box/bbackupd/serverCA.pem        <-- "CA root"(?) (from CA, bbstored-certs ca sign)
  • Again, someone should check my work here.

Additional Distantly Related Info

Things I've had problems with over the years include:

  1. Depending upon how you install and configure your boxbackup client and server, you may need to look in "/etc/box/" or "/etc/boxbackup/". The OS/Distribution packages have changed a bit over time, and may install boxbackup slightly differently than if compiled from source, and the documentation may not have been perfectly kept up. For a while, I was adding symbolic links between those directories.
  2. The file ownership and permissions on the certs and their directory paths need to be set such that they are readable by the bbackupd (client) and bbstored (server) processes, respectively. For example, on page, see the bbstored-config command, and the "_bbstored" username option setting there. (Note that the certs should have very tight permissions to avoid adversaries taking or modifying them, but still readable by the server process user, "_bbstored" in this case.)
  3. On page, "Example configuration output", "bbstored basic configuration complete.",
    "What you need to do now...":
     1) Sign /etc/boxbackup/bbstored/  using the bbstored-certs utility.

...note that that is done on the "certificate authority" (CA) machine. Note that it wasn't clear to me for a while that the CA really should be a separate, third, air-gapped machine, and thus possibly maybe there should be a third software package in addition to these two:

$ apt-cache search boxbackup
boxbackup-client - client for the BoxBackup remote backup system
boxbackup-server - server for the BoxBackup remote backup system
  1. (Note also that over the years I've had problems with the installed boxbackup binaries moving around to various places under /usr/ (local/?, bin/? sbin/?) depending upon how I installed boxbackup -- pay very close attention to the boxbackup script output generated on _your_ machine (as opposed to what you read in the docs).)
  2. (Note also that in my own ignorance, I would sometimes get confused between the boxbackup "server" and the boxbackup "store"; they are the same thing, and have nothing to do with any boxbackup client that might happen to be a server-grade machine (human personnel at the client shop may call it their "server", but it's a boxbackup client.)
  3. (Note also the security problems with sending these certificates securely between the CA, Client and Server...)
Last modified 4 years ago Last modified on Nov 6, 2012, 6:48:43 PM