Server Certificates

Your Lindenberg Software Backup server needs to have certificates in order for https encryption to work and in order to allow your clients to authenticate that they are communicating with the server they expect to communicate with. If clients cannot authenticate the server, they might be disclosing your password and data to someone else.

As Lindenberg Software Backup supports server name indication, you can have any number of hostnames internally and externally, and use a different certificate for any of them. You can view the server name indication also as a special technique for domain validation, as Lindenberg Software Backup will never look for a certificate unless it receives a connection for a specific server name. But when it receives a connection, it needs to look for a certificate in the keystore of the local system (to be specific the My section) with a matching canonical name or subject alternative name (supported as of 1.1.6322) or the connection will fail. If there are multiple certificates matching, backup always selects the one with the highest validity date.

Lindenberg Software Backup can reuse any existing certificate infrastructure and establish trust on the fly during the "Test" call. Thus the following options should all work:

  • any certificate issued by a well known certification authority. Rather than point you to the expensive one I rather recommend free certificates from letsencrypt.org, which unfortunately are difficult to use with Windows. The certificates *.homeserver.com available with Windows Home Server 2011 also fall into this category.
    The common criteria for this group is that Windows trust these certification authorities out of the box.
    Note: well known certification authorities will provide certificates for your external domain names only.
  • certificates provided by a Windows certification authority or similar, in fact acting as a private certification authority. The certificates issued with NetBIOS names to server and client in a Windows Home Server 2011, a Windows Server Essentials landscape, or the certificates provided by Lights-Out 2.0 also fall into this category.
    The common criteria for this group is that the infrastructure used establishes trust behind the scene.
  • self signed certificates or certificates signed by your own certification authorities. Obviously you will have to establish trust yourself - either by importing the root certificate on all clients, or by establishing trust on a "Test" connection.

Do not use http as this will transmit your credentials and all data unencrypted. http is only there for debugging purposes.