[syslog-ng]syslog-ng & stunnel, the saga continues

[Michael Arndt]

--YiEDa0DAkWCtVeE4
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Heippa Mark,

i hope you give me the chance to add a good dip, if i have to eat
some certificates ;-)

Have a look at:
http://www.stunnel.org/examples/syslog-ng.html
there you see that you also need a client PEM.

a) One for all clients if you just want encryption
b) One different for any client if you also need authentication
   (i.e. you need to establish the corecctness of client identity)

Step by Step:


http://www.emaze.net/~yad/openssl_stunnel_ServerClientAuth.txt

One addition: Look out in the stunnel FAQ for how to generate a link
to the stunnel: 

$ /usr/local/ssl/misc/c_hash clientcert.pem
You will see a output similar to:
89f05566.0 => clientcert.pem

Now create a sumbolic link to this file:
$ ln -s clientcert.pem 89f05566.0
(Stunnel will use a 'hash' to lookup the filename. It wont work without
this.).

this recipe will also cook on any BSE implementation ;-), i hope

But if you have access to any Redhat Box, you can make your
life much more easier:

They kindly have spared anyone much work by just building a Makefile
that generates all needed keys and gives them the right names
all thats left to you is snip up private from public part and
distribute them ...

Makefile attached, just modifiy the path inside the Makefile


hth
Micha

--YiEDa0DAkWCtVeE4
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=Makefile

.PHONY: usage
.SUFFIXES: .key .csr .crt .pem
.PRECIOUS: %.key %.csr %.crt %.pem

usage:
	@echo "This makefile allows you to create:"
	@echo "  o public/private key pairs"
	@echo "  o SSL certificate signing requests (CSRs)"
	@echo "  o self-signed SSL test certificates"
	@echo
	@echo "To create a key pair, run \"make SOMETHING.key\"."
	@echo "To create a CSR, run \"make SOMETHING.csr\"."
	@echo "To create a test certificate, run \"make SOMETHING.crt\"."
	@echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
	@echo
	@echo "To create a key for use with Apache, run \"make genkey\"."
	@echo "To create a CSR for use with Apache, run \"make certreq\"."
	@echo "To create a test certificate for use with Apache, run \"make testcert\"."
	@echo
	@echo Examples:
	@echo "  make server.key"
	@echo "  make server.csr"
	@echo "  make server.crt"
	@echo "  make stunnel.pem"
	@echo "  make genkey"
	@echo "  make certreq"
	@echo "  make testcert"

%.pem:
	umask 77 ; \
	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
	/usr/bin/openssl req -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 ; \
	cat $$PEM1 >  $@ ; \
	echo ""    >> $@ ; \
	cat $$PEM2 >> $@ ; \
	$(RM) $$PEM1 $$PEM2

%.key:
	umask 77 ; \
	/usr/bin/openssl genrsa -des3 1024 > $@

%.csr: %.key
	umask 77 ; \
	/usr/bin/openssl req -new -key $^ -out $@

%.crt: %.key
	umask 77 ; \
	/usr/bin/openssl req -new -key $^ -x509 -days 365 -out $@

KEY=/etc/httpd/conf/ssl.key/server.key
CSR=/etc/httpd/conf/ssl.csr/server.csr
CRT=/etc/httpd/conf/ssl.crt/server.crt

genkey: $(KEY)
certreq: $(CSR)
testcert: $(CRT)

$(CSR): $(KEY)
	umask 77 ; \
	/usr/bin/openssl req -new -key $(KEY) -out $(CSR)

$(CRT): $(KEY)
	umask 77 ; \
	/usr/bin/openssl req -new -key $(KEY) -x509 -days 365 -out $(CRT)

--YiEDa0DAkWCtVeE4--