Re: [stunnel-users] Is it usual/recommended to have key and cert in ONE stunnel.pem file?
Hello John,
thank you for your clarification. Two more additional questions:
According to stunnel guide I created a cert + key with the following command:
openssl.exe req -new -x509 -days 3650 -nodes -config stunnel.cnf -out stunnelcert.pem -keyout stunnelkey.pem
1.) For what do I need here the
-config stunnel.cnf
parameter? I am prompted by openssl for the content values during generation anyway. Can stunnel.cnf be seen only as a default value pattern for the created cert during generation? Can I omit this parameter?
2.) After creation of cert+key I have to specify them (as client) in stunnel.conf (with "o") as follows:
cert = stunnelcert.pem key = stunnelkey.pem
Is this sufficient?
Thank you Ben
On Mon, Oct 28, 2013 at 06:39:15PM +0100, Ben Stover wrote:
According to some tutorial pages I generated with OpenSSL a (selfsigned) certificate.
This file stunnel.pem contains the certifictae as well as the private key.
Is this usual/recommended?
Hello John,
That sort of falls into the "tragedy waiting to happen" category. The certificate is supposed to be given to clients, and the key belongs to the server and has to be kept private or there's really no point in using SSL.
Or should user put these two parts in two independent files?
Yes, absolutely. In fact I suppose you're using Windows or went through some hoop-jumping to combine them, because in "normal" OpenSSL usage the key is generated first and then the certs are requested and signed by the CA (or selfsigning) key.
/jl
On Tue, Oct 29, 2013 at 08:31:37AM +0100, Ben Stover wrote:
Hello John,
thank you for your clarification. Two more additional questions:
According to stunnel guide I created a cert + key with the following command:
openssl.exe req -new -x509 -days 3650 -nodes -config stunnel.cnf -out stunnelcert.pem -keyout stunnelkey.pem
1.) For what do I need here the
-config stunnel.cnf parameter?
I'm not a stunnel developer so I am not the right person to answer your questions, but in general the cnf input to openssl contains overrides for things that control the operation and output of openssl for that command. For example, what capabilities does the cert assure (SSL, email, etc.) and the size of the key. There are many many more.
I am prompted by openssl for the content values during generation anyway. Can stunnel.cnf be seen only as a default value pattern for the created cert during generation? Can I omit this parameter?
I'll let somebody who knows this specific use (stunnel) answer. It may be they give you good defaults and it may be you need to have certain settings. I haven't looked at it since I don't use it when I generate certs because I use my own CA and sign my CSRs.
2.) After creation of cert+key I have to specify them (as client) in stunnel.conf (with "o") as follows:
cert = stunnelcert.pem key = stunnelkey.pem
The client does not need and must not have access to the private key. The key belongs to the server. The cert contains the public key for use by the client to be able to authenticate contact with the server. If you're talking about authenticating clients then each party (client/server) must have the other's certificate, but the private keys must remain in the node (client/server) to which they belong and are not shared.
/jl
-
Ben Stover -
John Long