Using Certificates Issued by Different Root

It is possible to have a TLS environment that uses certificates issued by different CAs. In previous examples, we have been using only one root CA:

# openssl genrsa -out ./keys/root_key.pem 4096
# openssl req -new -x509 -batch -config ./openssl.cnf -key ./keys/root_key.pem -days 36500 -out ./certs/root_cert.pem

In the case of the use of multiple root CA in your Bacula environment, there are two possible ways to configure:

1. to concatenate all the root CA certificates into one .pem file used in the TLS CA Certificate File directive:

   # cat root_cert_ca1.pem root_cert_ca2.pem root_cert_ca3.pem > root_cert_ca.pem
   

   • use TLS CA Certificate File = /usr/local/bacula/etc/ssl/certs/root_cert_ca.pem in resources TLS directives definitions.

2. use the TLS CA Certificate Dir directive instead. In this case, the certificates should have OpenSSL-compatible hashes. Please find below an example:

root@darkstar:/opt/bacula/ssl/certs# ls -l
...
lrwxrwxrwx 1 root root 19 Oct 25 23:10 7293a8c5.0 -> root_ca1_cert.pem
lrwxrwxrwx 1 root root 19 Oct 25 23:10 8fb0c2b0.0 -> root_ca2_cert.pem
lrwxrwxrwx 1 root root 18 Oct 25 23:10 a6476ecf.0 -> root_ca3_cert.pem
-rw-r--r-- 1 root root 2134 Sep 7 16:03 root_ca1_cert.pem
-rw-r--r-- 1 root root 2134 Sep 7 15:56 root_ca2_cert.pem
-rw-r--r-- 1 root root 2134 Sep 7 11:47 root_ca3_cert.pem

• TLS CA Certificate File = /usr/local/bacula/etc/ssl/certs/root_cert_ca.pem in resources TLS directives definitions.

See also

Go back to:

• Enable TLS Communications Encryption between Daemons

• Enable TLS Authentication Between Daemons

Go back to the Example TLS Configuration Files chapter.

Go back to the Bacula Communications Encryption chapter.

Go back to the main Advanced Features Usage page.