Heippa Mark, i hope you give me the chance to add a good dip, if i have to eat some certificates ;-) Have a look at: http://www.stunnel.org/examples/syslog-ng.html there you see that you also need a client PEM. a) One for all clients if you just want encryption b) One different for any client if you also need authentication (i.e. you need to establish the corecctness of client identity) Step by Step: http://www.emaze.net/~yad/openssl_stunnel_ServerClientAuth.txt One addition: Look out in the stunnel FAQ for how to generate a link to the stunnel: $ /usr/local/ssl/misc/c_hash clientcert.pem You will see a output similar to: 89f05566.0 => clientcert.pem Now create a sumbolic link to this file: $ ln -s clientcert.pem 89f05566.0 (Stunnel will use a 'hash' to lookup the filename. It wont work without this.). this recipe will also cook on any BSE implementation ;-), i hope But if you have access to any Redhat Box, you can make your life much more easier: They kindly have spared anyone much work by just building a Makefile that generates all needed keys and gives them the right names all thats left to you is snip up private from public part and distribute them ... Makefile attached, just modifiy the path inside the Makefile hth Micha