Hi Sébastien,

Check out  the Bacula documentation on TLS. The example configs are a good start.
Also check out OpenSSL docs on how to become your own Certificate Authority so you can create your own certificates.
This may take some effort and time if you are unfarmilliar with certificates. Without the right certificates it will not work.
OpenSSL has some functionality with which you can check the certificates. You can create some sort of server and try to connect to it but I don't remember how that works anymore. Google for it.
It's important to start with the simplest solution (e.g. no TLS) and then gradually add some TLS features. (So don't start with the "TLS Allowed CN" or something like that. Add that when the plain TLS connection works.)
Also important to understanding what's going on is to figure out what connects to what. The part about firewalls in the Bacula documentation has a small and useful overview of that. For the TLS connection the "client" is the connecting party and the server is the party being connected to. Example: When the bacula-dir connects to the bacula-fd, the bacula-dir is the client and the bacula-fd is the server. (See comments in the example configs in the Director resource of the bacula-fd config)

I have created some scripts to create and sign my own certificates because I just can't remember the command line options for openssl. They are used in a Fedora 6 environment so you may have to change some paths to match your setup.
Before you can use these scripts you need:
- A proper openssl config file
 Place the file location in create.sh at the [openssl.cnf] placeholder
- Your self-signed root-certificate and private key
  Place them in their placeholders [ca.crt] and [ca.key] in the sign script
- Check all paths in sign.sh (/etc/pki/CA/ in my installation) and make sure they match your setup.
(Note: The sign script is not mine, I found it on the internet somewhere and don't remember who wrote it  so I can't give credit.)


Of course this doesn't explain TLS fully but I hope this helps a bit.


Regards,
Maarten Hoogveld


create.sh A script to create a new key-pair and a cert-sign-request.

#!/bin/bash
FILE_BASE=$1
if [ $# -ne 1 ]; then
  echo "Usage: $0 <base-filename>"
  echo "  Creates a key-pair and csr (Certificate Signing Request)"
  echo "  File created are <base-filename>.key and <base-filename>.crt."
  exit 1
fi

if [ -e ${FILE_BASE}.key ]; then
  echo "File ${FILE_BASE}.key already exists."
  echo "Exiting."
  exit 1;
fi

openssl req -config [openssl.cnf] -new -nodes -keyout ${FILE_BASE}.key -out ${FILE_BASE}.csr -days 730

echo "Done."


sign.sh  A script to sign a sign-request

#!/bin/sh
#   argument line handling
CSR=$1
if [ $# -ne 1 ]; then
  echo "Usage: ${0} <whatever>.csr"; exit 1
fi
if [ ! -f $CSR ]; then
  echo "CSR not found: $CSR"; exit 1
fi
case $CSR in
  *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
  * ) CERT="$CSR.crt" ;;
esac
#   make sure environment exists
if [ ! -d ca.db.certs ]; then
  mkdir ca.db.certs
fi
if [ ! -f ca.db.serial ]; then
  echo '01' >ca.db.serial
fi
if [ ! -f ca.db.index ]; then
  cp /dev/null ca.db.index
fi
#   create an own SSLeay config
cat > ca.config <<EOT
[ ca ]
default_ca      = CA_own
[ CA_own ]
dir     = /etc/pki/CA
certs   = /etc/pki/CA/certs
new_certs_dir   = /etc/pki/CA/ca.db.certs
database        = /etc/pki/CA/ca.db.index
serial  = /etc/pki/CA/ca.db.serial
RANDFILE        = /etc/pki/CA/ca.db.rand
certificate     = /etc/pki/CA/certs/[ca.crt]
private_key     = /etc/pki/CA/private/[ca.key]
default_days    = 730
default_crl_days        = 30
default_md      = md5
preserve        = no
policy  = policy_anything
[ policy_anything ]
countryName     = optional
stateOrProvinceName     = optional
localityName    = optional
organizationName        = optional
organizationalUnitName  = optional
commonName      = supplied
emailAddress    = optional
EOT
#  sign the certificate
echo "CA signing: $CSR -> $CERT:"
openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"
openssl verify -CAfile /etc/pki/CA/certs/[ca.crt] $CERT
#  cleanup after SSLeay
/bin/rm -f ca.config
/bin/rm -f ca.db.serial.old
/bin/rm -f ca.db.index.old
#  die gracefully
exit 0


export.sh   A script to tidy up the files and put them into separate folders for archival

#!/bin/bash
FILE_BASE=$1
if [ $# -ne 1 ]; then
  echo "Usage: $0 <base-filename>"
  echo "  If <base-filename>.key and <base-filename>.crt exist:"
  echo "  <base-filename>.key will be moved to ./export/private"
  echo "  <base-filename>.crt will be moved to ./export/certs"
  echo "  <base-filename>.csr will be deleted if it exists"
  exit 1
fi

if [ ! -e ${FILE_BASE}.key ]; then
  echo "File ${FILE_BASE}.key does not exist!"
  exit 1;
fi

if [ ! -e ${FILE_BASE}.crt ]; then
  echo "File ${FILE_BASE}.crt does not exist!"
  exit 1;
fi

if [ ! -d export/certs ]; then
  echo "Destination ./export/certs does not exist. Please create this directory and try again."
  exit 1;
fi
if [ ! -d export/private ]; then
  echo "Destination ./export/private does not exist. Please create this directory and try again."
  exit 1;
fi

mv ${FILE_BASE}.key export/private
chmod 0400 export/private/${FILE_BASE}.key

mv ${FILE_BASE}.crt export/certs

if [ -e ${FILE_BASE}.csr ]; then
  rm ${FILE_BASE}.csr
fi

echo "Done."