Hi Sébastien,
Check out the
Bacula documentation on TLS. The example configs are a good start.
Also check out OpenSSL docs on how to become your own Certificate Authority so you can create your own certificates.
This may take some effort and time if you are unfarmilliar with certificates. Without the right certificates it will not work.
OpenSSL has some functionality with which you can check the certificates. You can create some sort of server and try to connect to it but I don't remember how that works anymore. Google for it.
It's important to start with the simplest solution (e.g. no TLS) and then gradually add some TLS features. (So don't start with the "TLS Allowed CN" or something like that. Add that when the plain TLS connection works.)
Also important to understanding what's going on is to figure out what connects to what. The
part about firewalls in the Bacula documentation has a small and useful overview of that. For the TLS connection the "client" is the connecting party and the server is the party being connected to. Example: When the bacula-dir connects to the bacula-fd, the bacula-dir is the client and the bacula-fd is the server. (See comments in the example configs in the Director resource of the bacula-fd config)
I have created some scripts to create and sign my own certificates
because I just can't remember the command line options for openssl. They are used in a Fedora 6 environment so you may have to change some paths to match your setup.
Before you can use these scripts you need:
- A proper openssl config file
Place the file location in create.sh at the [openssl.cnf] placeholder
- Your self-signed root-certificate and private key
Place them in their placeholders [ca.crt] and [ca.key] in the sign script
- Check all paths in sign.sh (/etc/pki/CA/ in my installation) and make sure they match your setup.
(Note: The sign script is not mine, I found it on the internet somewhere and don't remember who wrote it so I can't give credit.)
Of course this doesn't explain TLS fully but I hope this helps a bit.
Regards,
Maarten Hoogveld
create.sh A script to create a new key-pair and a cert-sign-request.
#!/bin/bash
FILE_BASE=$1if [ $# -ne 1 ]; then
echo "Usage: $0 <base-filename>" echo " Creates a key-pair and csr (Certificate Signing Request)"
echo " File created are <base-filename>.key and <base-filename>.crt." exit 1
fiif [ -e ${FILE_BASE}.key ]; then
echo "File ${FILE_BASE}.key already exists." echo "Exiting."
exit 1;fi
openssl req -config [openssl.cnf] -new -nodes -keyout ${FILE_BASE}.key -out ${FILE_BASE}.csr -days 730
echo "Done."sign.sh A script to sign a sign-request
#!/bin/sh
# argument line handlingCSR=$1
if [ $# -ne 1 ]; then echo "Usage: ${0} <whatever>.csr"; exit 1
fiif [ ! -f $CSR ]; then
echo "CSR not found: $CSR"; exit 1fi
case $CSR in *.csr ) CERT="`echo $CSR | sed -e 's/\.csr/.crt/'`" ;;
* ) CERT="$CSR.crt" ;;esac
# make sure environment existsif [ ! -d ca.db.certs ]; then
mkdir ca.db.certsfi
if [ ! -f ca.db.serial ]; then echo '01' >ca.db.serial
fiif [ ! -f ca.db.index ]; then
cp /dev/null ca.db.indexfi
# create an own SSLeay configcat > ca.config <<EOT
[ ca ]default_ca = CA_own
[ CA_own ]dir = /etc/pki/CA
certs = /etc/pki/CA/certsnew_certs_dir = /etc/pki/CA/ca.db.certs
database = /etc/pki/CA/ca.db.indexserial = /etc/pki/CA/ca.db.serial
RANDFILE = /etc/pki/CA/ca.db.randcertificate = /etc/pki/CA/certs/[ca.crt]
private_key = /etc/pki/CA/private/[ca.key]
default_days = 730
default_crl_days = 30default_md = md5
preserve = nopolicy = policy_anything
[ policy_anything ]countryName = optional
stateOrProvinceName = optionallocalityName = optional
organizationName = optionalorganizationalUnitName = optional
commonName = suppliedemailAddress = optional
EOT# sign the certificate
echo "CA signing: $CSR -> $CERT:"openssl ca -config ca.config -out $CERT -infiles $CSR
echo "CA verifying: $CERT <-> CA cert"openssl verify -CAfile /etc/pki/CA/certs/[ca.crt] $CERT
# cleanup after SSLeay /bin/rm -f ca.config
/bin/rm -f ca.db.serial.old/bin/rm -f ca.db.index.old
# die gracefullyexit 0export.sh A script to tidy up the files and put them into separate folders for archival
#!/bin/bash
FILE_BASE=$1if [ $# -ne 1 ]; then
echo "Usage: $0 <base-filename>" echo " If <base-filename>.key and <base-filename>.crt exist:"
echo " <base-filename>.key will be moved to ./export/private" echo " <base-filename>.crt will be moved to ./export/certs"
echo " <base-filename>.csr will be deleted if it exists" exit 1
fiif [ ! -e ${FILE_BASE}.key ]; then
echo "File ${FILE_BASE}.key does not exist!" exit 1;
fiif [ ! -e ${FILE_BASE}.crt ]; then
echo "File ${FILE_BASE}.crt does not exist!" exit 1;
fiif [ ! -d export/certs ]; then
echo "Destination ./export/certs does not exist. Please create this directory and try again." exit 1;
fiif [ ! -d export/private ]; then
echo "Destination ./export/private does not exist. Please create this directory and try again." exit 1;
fimv ${FILE_BASE}.key export/private
chmod 0400 export/private/${FILE_BASE}.keymv ${FILE_BASE}.crt export/certs
if [ -e ${FILE_BASE}.csr ]; then rm ${FILE_BASE}.csr
fiecho "Done."