Hi, I would like to ask about custom satellite. According with storj-whitepaper “During setup, storage nodes, Satellites, and Uplinks all generate their own identity and
certificates for use in the network” and Satellites signs nodes certificates during authorization.
Identity contains 3 certificates:
leaf certificate signed by CA certificate
CA certificate signed by satellite certificate
CA satellite public key signed by satellite certificate
So any node, Satellites, Uplinks must be signed but who signs Satellites certificates ? If I would like to run custom satellite I have to use CA Self-signed certificate and Leaf certificate signed by CA certificate ?
TLDR; Just generate an identity for your Satellite, no need to sign it.
Based on your comment it seems to be clear for you, but let me double click on this:
Every identity has a CA cert inside:
This is different from the PeerCAWhiteList
which is a very specific key used to sign the identity (=CA + keys) of the Storagenodes. This happens during identity authorize
. It is required only for Storagenodes, and only because our Satellites are configured so. You may prefer different configuration option.
This is not 100% true. Uplink uses generated identity, and it is only signed by internal CA, not by the authorization key.
Generic rule: When any components of the ecosystem are communicating with each other via TLS/DRPC, they use simple Identities (=CA + public/private keys, the top left part of the picture).
But there can be additional requirements for the communication:
- Satellite may require double-signed Identities from Storagenode (not from Uplink). This can be turned off by
server.use-peer-ca-whitelist: false
, but it’s turned on for Storj Labs Satellites. (It makes harder to create many fake storagenodes…) - Satellite may require Identity with specific difficulty (configurable:
overlay.minimum-new-node-id-difficulty: ...
) - Storagenode has endpoints for the connected Satellite. It is verified, if they are used only by trusted Satellites.
Hope it’s clear enough. There is also a video about identities: