Server Certificates
Your Lindenberg Software Backup server needs to have certificates in order for https encryption to work and in order to allow your clients to authenticate that they are communicating with the server they expect to communicate with. If clients cannot authenticate the server, they might be disclosing your password and data to someone else.
As Lindenberg Software Backup supports server name indication, you can have any number of hostnames internally and externally, and use a different certificate for any of them. You can view the server name indication also as a special technique for domain validation, as Lindenberg Software Backup will never look for a certificate unless it receives a connection for a specific server name. But when it receives a connection, it needs to look for a certificate in the keystore of the local system (to be specific the My section) with a matching canonical name or subject alternative name, or the connection will fail. If there are multiple certificates matching, backup always selects the one with the highest validity date.
Lindenberg Software Backup can reuse any existing certificate infrastructure. Thus the following options all work:
- any certificate issued by a well known certification authority. Rather than point you to the expensive one I rather recommend free certificates from letsencrypt.org. In the past I wrote, "unfortunately difficult to use with Windows". Fortunately this changed, please check out the list of ACME Client Implementations for Windows/IIS. The certificates *.homeserver.com available with Windows Home Server 2011 also fall into this category.
The common criteria for this group is that Windows trust these certification authorities out of the box.
Note: well known certification authorities will provide certificates for your external domain names only. Thus if you do not control your internal DNS you may have to look into one of the other options, or rely on your router to route backup traffic for your external domain name fast enough. - certificates provided by a Windows certification authority or similar, in fact acting as a private certification authority. The certificates issued with NetBIOS names to server and client in a Windows Home Server 2011, a Windows Server Essentials landscape, or the certificates provided by Lights-Out also fall into this category.
The common criteria for this group is that the infrastructure used establishes trust behind the scene, and that you typically can get certificates for names that are not visible externally. - self signed certificates or certificates signed by your own certification authorities. Obviously you will have to establish trust yourself by importing the root certificate(s) on all clients.
- and you can also mix as you like.
Do not use http as this will transmit your credentials and all data unencrypted. http is only there for debugging purposes. If you are unsure about which option to use, I definitely recommend to try Lights-Out as it has an easy to use user interface.