Introduction
By default, the Redstor StorageServer will present an Attix5 Root TLS certificate. This is a self-signed Redstor certificate that is used by Redstor clients when authenticating. However, you may wish for the StorageServer to present a trusted certificate instead of the Attix5 Root certificate. The StorageServer can be configured to support this behavior.
Configuration
The TLS certificate must support the hostname under which the server has been added to the Redstor Platform, i.e. the address that backup clients connect to.
Once the certificate has been obtained, it can be installed on the StorageServer through the Windows Certificate Manager. The certificate must include the private key (i.e. you need to install the .pfx certificate). By default, the StorageServer runs as Local System, so the certificate should be added to the Local Machine store rather than a user store.
Once the certificate has been installed on the StorageServer, its settings.xml file should be modified to allow this certificate to be presented. The default location for the settings file is C:\ProgramData\Attix5 Pro\<ServiceName>\settings.xml. This file can only be edited while the service is stopped.
To modify the settings file, add the following setting to the <Configuration></Configuration> section of the file:
<UseTrustedCertificates choices="True,False" default="False">True</UseTrustedCertificates>
Save the file and restart the service. This setting will now allow the StorageServer to present the trusted certificate when it receives a request.
Limitations
- The certificate must include the certificate private key to be used by the StorageServer.
- Trusted TLS certificates will be ignored when the request is made without any ALPN data.
- The ALPN behaviour of the web browser is such that it will communicate to the host that it is trying to reach that hostname, so the host will respond with a relevant certificate. If you have two domains and trusted certificates have been installed for both, the service will respond to the client with the correct certificate on a per request basis.
- Other clients that may connect to the StorageServer, e.g. ESE clients (and SE/DL clients) do not perform this step and are thus "ALPN empty". The default behaviour in this case is for the StorageServer to respond to them with the Attix5 Root certificate.
- The StorageServer can be configured to override this default behaviour and only return the trusted certificate, although this can have adverse effects. If this is essential to your setup, please log a ticket with Redstor Support so that we can provide assistance.
Comments
0 comments
Article is closed for comments.