[syslog-ng]syslog-ng & stunnel, the saga continues

syslog-ng@lists.balabit.hu syslog-ng@lists.balabit.hu
Sat, 14 Aug 2004 10:40:52 +0100 

Thanks very much! :)

My next step was to actually attempt to acquire the makefile just
to see what the differences were between client-server certificates,
you've just made my life much easier. :)

cheers
mark


On Sat, Aug 14, 2004 at 11:35:56AM +0200, Michael Arndt wrote:
> Heippa Mark,
> 
> i hope you give me the chance to add a good dip, if i have to eat
> some certificates ;-)
> 
> Have a look at:
> http://www.stunnel.org/examples/syslog-ng.html
> there you see that you also need a client PEM.
> 
> a) One for all clients if you just want encryption
> b) One different for any client if you also need authentication
>    (i.e. you need to establish the corecctness of client identity)
> 
> Step by Step:
> 
> 
> http://www.emaze.net/~yad/openssl_stunnel_ServerClientAuth.txt
> 
> One addition: Look out in the stunnel FAQ for how to generate a link
> to the stunnel: 
> 
> $ /usr/local/ssl/misc/c_hash clientcert.pem
> You will see a output similar to:
> 89f05566.0 => clientcert.pem
> 
> Now create a sumbolic link to this file:
> $ ln -s clientcert.pem 89f05566.0
> (Stunnel will use a 'hash' to lookup the filename. It wont work without
> this.).
> 
> this recipe will also cook on any BSE implementation ;-), i hope
> 
> But if you have access to any Redhat Box, you can make your
> life much more easier:
> 
> They kindly have spared anyone much work by just building a Makefile
> that generates all needed keys and gives them the right names
> all thats left to you is snip up private from public part and
> distribute them ...
> 
> Makefile attached, just modifiy the path inside the Makefile
> 
> 
> hth
> Micha

> .PHONY: usage
> .SUFFIXES: .key .csr .crt .pem
> .PRECIOUS: %.key %.csr %.crt %.pem
> 
> usage:
> 	@echo "This makefile allows you to create:"
> 	@echo "  o public/private key pairs"
> 	@echo "  o SSL certificate signing requests (CSRs)"
> 	@echo "  o self-signed SSL test certificates"
> 	@echo
> 	@echo "To create a key pair, run \"make SOMETHING.key\"."
> 	@echo "To create a CSR, run \"make SOMETHING.csr\"."
> 	@echo "To create a test certificate, run \"make SOMETHING.crt\"."
> 	@echo "To create a key and a test certificate in one file, run \"make SOMETHING.pem\"."
> 	@echo
> 	@echo "To create a key for use with Apache, run \"make genkey\"."
> 	@echo "To create a CSR for use with Apache, run \"make certreq\"."
> 	@echo "To create a test certificate for use with Apache, run \"make testcert\"."
> 	@echo
> 	@echo Examples:
> 	@echo "  make server.key"
> 	@echo "  make server.csr"
> 	@echo "  make server.crt"
> 	@echo "  make stunnel.pem"
> 	@echo "  make genkey"
> 	@echo "  make certreq"
> 	@echo "  make testcert"
> 
> %.pem:
> 	umask 77 ; \
> 	PEM1=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
> 	PEM2=`/bin/mktemp /tmp/openssl.XXXXXX` ; \
> 	/usr/bin/openssl req -newkey rsa:1024 -keyout $$PEM1 -nodes -x509 -days 365 -out $$PEM2 ; \
> 	cat $$PEM1 >  $@ ; \
> 	echo ""    >> $@ ; \
> 	cat $$PEM2 >> $@ ; \
> 	$(RM) $$PEM1 $$PEM2
> 
> %.key:
> 	umask 77 ; \
> 	/usr/bin/openssl genrsa -des3 1024 > $@
> 
> %.csr: %.key
> 	umask 77 ; \
> 	/usr/bin/openssl req -new -key $^ -out $@
> 
> %.crt: %.key
> 	umask 77 ; \
> 	/usr/bin/openssl req -new -key $^ -x509 -days 365 -out $@
> 
> KEY=/etc/httpd/conf/ssl.key/server.key
> CSR=/etc/httpd/conf/ssl.csr/server.csr
> CRT=/etc/httpd/conf/ssl.crt/server.crt
> 
> genkey: $(KEY)
> certreq: $(CSR)
> testcert: $(CRT)
> 
> $(CSR): $(KEY)
> 	umask 77 ; \
> 	/usr/bin/openssl req -new -key $(KEY) -out $(CSR)
> 
> $(CRT): $(KEY)
> 	umask 77 ; \
> 	/usr/bin/openssl req -new -key $(KEY) -x509 -days 365 -out $(CRT)