[stunnel-users] Stunnel and configuration

Jan Meijer jan.meijer at surfnet.nl
Tue Feb 22 16:34:42 CET 2005


On Tue, 22 Feb 2005, Bohdan Linda wrote:

> CAfile = /etc/certificates/certs            -file where first item is my CA 
> certificate followed by list of 
> all client certificates sgined  by my CA.

I use the CApath = directory directive for my client certificates.  The 
client certificates are pointed to by hashed symlinks.  Also makes it a 
lot easier to remove a client certificate if you want to revoke access to 
your stunnel for that particular certificate.

> cert = /etc/certificates/server.pem
> chroot = /var/run/stunnel/
> CAfile = /etc/certificates/CA/cacert.pem   - only certificate of my CA
> CRLfile = /etc/certificates/crls      - only certificates signed by my CA

CRL file is *not* 'only certificates signed by my CA', it stands for: do 
not let any certificates *revoked* by my CA in.

Jan

-- 
http://www.surfnet.nl/organisatie/jame



More information about the stunnel-users mailing list