Using Certificates Issued by Different Root

It is possible to have a TLS environment that uses certificates issued by different CAs. In previous examples, we have been using only one root CA:

# openssl genrsa -out ./keys/root_key.pem 4096
# openssl req -new -x509 -batch -config ./openssl.cnf -key ./keys/root_key.pem -days 36500 -out ./certs/root_cert.pem

In the case of the use of multiple root CA in your Bacula environment, there are two possible ways to configure:

1. to concatenate all the root CA certificates into one .pem file used in the TLS CA Certificate File directive:

   # cat root_cert_ca1.pem root_cert_ca2.pem root_cert_ca3.pem > root_cert_ca.pem
   

   • use TLS CA Certificate File = /usr/local/bacula/etc/ssl/certs/root_cert_ca.pem in resources TLS directives definitions.

2. use the TLS CA Certificate Dir directive instead. In this case, the certificates should have OpenSSL-compatible hashes. Please find below an example:

root@darkstar:/opt/bacula/ssl/certs# ls -l
...
lrwxrwxrwx 1 root root 19 Oct 25 23:10 7293a8c5.0 -> root_ca1_cert.pem
lrwxrwxrwx 1 root root 19 Oct 25 23:10 8fb0c2b0.0 -> root_ca2_cert.pem
lrwxrwxrwx 1 root root 18 Oct 25 23:10 a6476ecf.0 -> root_ca3_cert.pem
-rw-r--r-- 1 root root 2134 Sep 7 16:03 root_ca1_cert.pem
-rw-r--r-- 1 root root 2134 Sep 7 15:56 root_ca2_cert.pem
-rw-r--r-- 1 root root 2134 Sep 7 11:47 root_ca3_cert.pem

• TLS CA Certificate File = /usr/local/bacula/etc/ssl/certs/root_cert_ca.pem in resources TLS directives definitions.

See also

Previous articles:

• Enable TLS Communications Encryption between Daemons

• Enable TLS Authentication Between Daemons

Go back to: Example TLS Configuration Files.