Please explain about the content of the certificates

hatred · January 24, 2023, 10:07am

Hello everyone

After registering a new node, 6 files appear in the identity folder. I was trying to sort out the certificates, and I came to a dead end:

file ca.1xxxxxxxxx.cert

contains single certificate:

-----BEGIN CERTIFICATE-----
Mxxzxxxzxczxczxczxczxczxczxczx=
-----END CERTIFICATE-----

file ca.cert contains 2 certificates:

-----BEGIN CERTIFICATE-----
Mxxzxxxzxczxczxczxczxczxczxczx=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Mxxzxxxzxczxczxczxczxczxczxczx=
-----END CERTIFICATE-----

file ca.key

contains single key to first certificate of ca.cert:

-----BEGIN PRIVATE KEY-----
MIxxxxxxxxxxxxxxxxxx
-----END PRIVATE KEY-----

file identity.1xxxxxxxx.cert contains 2 certificates:

-----BEGIN CERTIFICATE-----
Mxxzxxxzxczxczxczxczxczxczxczx=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Mxxzxxxzxczxczxczxczxczxczxczx=
-----END CERTIFICATE-----

file identity.cert contains 3 certificates:

file identity.key contains 1 private key:

-----BEGIN PRIVATE KEY-----
Mxxxxxxxxxxxxxxxxxxxzczxczczcc
-----END PRIVATE KEY-----

In total we have 8 certificates. I would like to know which one is used for what?

Alexey · January 25, 2023, 5:27am

You may read about PKI here: Public key infrastructure - Wikipedia
About using PKI for peer-to-peer communications you may read in the sections 4.4 Node identity and 4.5 Peer-to-peer communication of our Whitepaper v3.

Is an unsigned Certificate Authority Certificate.

Is a signed (by authorization token from our Auth service) CA Certificate.

Is a Private Key for CA Certificate.

Is an unsigned Identity Certificate, related to your node’s identity - it’s basically a passport of storagenode.

Is a signed Identity Certificate

Is a Private Key for your Identity Certificate.

So you need to backup this folder on case if it could be corrupted or lost, but it’s also advisable to copy this folder to the disk with data to do not confuse identities and their data if your would run multiple nodes and also should prevent you from losing your node if you decide to reinstall your OS (because the identity without its data is useless and also data without its identity is useless too).

hatred · January 25, 2023, 6:11am

Thank you, but why ca.cert has 2 certificates, and identity.cert has 3 certificates? AFAIK, they need only 1 for CA and 1 for node itself.

elek · January 25, 2023, 6:41pm

After generating a new identity, indentity.cert will contains two certificates:

public key of identity.key signed by ca.key
public key of ca.key signed by ca.key

Your NodeID is derived from the public key of ca.key (double sha256), but to communicate with satellites you need only the identity.key (and the proof that the ca.key is is signed the identity → the 2 certs)

Except that StorjLabs satellites are not talking with anybody, that’s where you need to ask for authorization with visiting Sign up and host a Node on Storj and using the token identity authorize.

As a result, you will have 3 certs:

the public version of identity.key signed by ca.key
the public version of ca.key signed by Storj Labs satellite key
Storj Labs satellite key signed by Storj Labs satellite key

Certs with the number in file names are just backups (the original identity is saved with epoch in the names)

Based on this, you can diff the identity.cert and identity.xxx.cert

the first certificate should be exactly the same (identity public key signed with ca.key)
second certificate should be different (it was signed by ca.key earlier, but after authorization it is signed by Storj Labs key)
this exists only in the new file, but should be the same across all of your datanodes (storjlabs public key signed by storjlabs private key)