Thanks very much! :) My next step was to actually attempt to acquire the makefile just to see what the differences were between client-server certificates, you've just made my life much easier. :) cheers mark On Sat, Aug 14, 2004 at 11:35:56AM +0200, Michael Arndt wrote:
Heippa Mark,
i hope you give me the chance to add a good dip, if i have to eat some certificates ;-)
Have a look at: http://www.stunnel.org/examples/syslog-ng.html there you see that you also need a client PEM.
a) One for all clients if you just want encryption b) One different for any client if you also need authentication (i.e. you need to establish the corecctness of client identity)
Step by Step:
http://www.emaze.net/~yad/openssl_stunnel_ServerClientAuth.txt
One addition: Look out in the stunnel FAQ for how to generate a link to the stunnel:
$ /usr/local/ssl/misc/c_hash clientcert.pem You will see a output similar to: 89f05566.0 => clientcert.pem
Now create a sumbolic link to this file: $ ln -s clientcert.pem 89f05566.0 (Stunnel will use a 'hash' to lookup the filename. It wont work without this.).
this recipe will also cook on any BSE implementation ;-), i hope
But if you have access to any Redhat Box, you can make your life much more easier:
They kindly have spared anyone much work by just building a Makefile that generates all needed keys and gives them the right names all thats left to you is snip up private from public part and distribute them ...
Makefile attached, just modifiy the path inside the Makefile
hth Micha
.PHONY: usage .SUFFIXES: .key .csr .crt .pem .PRECIOUS: %.key %.csr %.crt %.pem
usage: @echo "This makefile allows you to create:" @echo " o public/private key pairs" @echo " o SSL certificate signing requests (CSRs)" @echo " o self-signed SSL test certificates" @echo @echo "To create a key pair, run \"make SOMETHING.key\"." @echo "To create a CSR, run \"make SOMETHING.csr\"." @echo "To create a test certificate, run \"make SOMETHING.crt\"." @echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"." @echo @echo "To create a key for use with Apache, run \"make genkey\"." @echo "To create a CSR for use with Apache, run \"make certreq\"." @echo "To create a test certificate for use with Apache, run \"make testcert\"." @echo @echo Examples: @echo " make server.key" @echo " make server.csr" @echo " make server.crt" @echo " make stunnel.pem" @echo " make genkey" @echo " make certreq" @echo " make testcert"
%.pem: umask 77 ; \ PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \ /usr/bin/openssl req -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 ; \ cat $$PEM1 > $@ ; \ echo "" >> $@ ; \ cat $$PEM2 >> $@ ; \ $(RM) $$PEM1 $$PEM2
%.key: umask 77 ; \ /usr/bin/openssl genrsa -des3 1024 > $@
%.csr: %.key umask 77 ; \ /usr/bin/openssl req -new -key $^ -out $@
%.crt: %.key umask 77 ; \ /usr/bin/openssl req -new -key $^ -x509 -days 365 -out $@
KEY=/etc/httpd/conf/ssl.key/server.key CSR=/etc/httpd/conf/ssl.csr/server.csr CRT=/etc/httpd/conf/ssl.crt/server.crt
genkey: $(KEY) certreq: $(CSR) testcert: $(CRT)
$(CSR): $(KEY) umask 77 ; \ /usr/bin/openssl req -new -key $(KEY) -out $(CSR)
$(CRT): $(KEY) umask 77 ; \ /usr/bin/openssl req -new -key $(KEY) -x509 -days 365 -out $(CRT)