[stunnel-users] Possible to verify client certificate BUT ignore expiration-date?
Christopher Schultz
chris at christopherschultz.net
Thu Jul 11 16:48:39 CEST 2019
Eric,
(Coming back to this.)
On 5/14/19 14:41, Eric Eberhard wrote:
> Chris,
>
> There are "real" certificates you purchase from a certificate authority and pay an annual fee. If this is https you pretty much need that or the user gets errors. By private I meant "self signed."
>
> However, openssl has an option to create a certificate. You type the name, address, whatever, and it makes a certificate. It is JUST AS GOOD as a purchased certificate (except https or perhaps others that want certificate authority certificates). I use them for FTP and SSH and many things .
>
> openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365
>
> You can put your own expire date(days) when you make the cert. A screen will come up and ask 20 questions :-) If you cannot do it (don't have openssl installed) I can do it for you. It certainly will work as a stop-gap. We don't need it for https as it is Apache on a machine that is hosted.
So... everything above is exactly what we do with this vendor. We don't
have a problem getting a well-known-CA to sign the certificate. We have
(had) a problem with the vendor just getting the damned work done.
Yes, I know it is a 5-minute process but when you are dealing with a big
company where you have to have 6 managers in multiple time zones call
each other to confirm the problem, have a meeting about the solution,
determine a course of action, allocate a resource to perform the work,
QA the solution, then get an IT review of everything before placing
something into production, that 5-minute fix can take days or weeks.
I just wanted to say "I still trust this certificate, even though it has
expired."
Is that possible to do without recompiling stunnel?
Thanks,
-chris
> -----Original Message-----
> From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On Behalf Of Christopher Schultz
> Sent: Tuesday, May 14, 2019 6:49 AM
> To: stunnel-users at stunnel.org
> Subject: Re: [stunnel-users] Possible to verify client certificate BUT ignore expiration-date?
>
> Eric,
>
> On 5/13/19 18:06, Eric Eberhard wrote:
>> Use openssl to make a private cert?
>
> What is a "private cert"?
>
> Also, I need to trust an existing certificate... If they can create a new certificate, then I can just trust the new one. I'm looking for a stop-gap measure, here.
>
> Thanks,
> -chris
>
>> -----Original Message-----
>> From: stunnel-users [mailto:stunnel-users-bounces at stunnel.org] On
>> Behalf Of Christopher Schultz
>> Sent: Monday, May 13, 2019 2:28 PM
>> To: stunnel-users at stunnel.org
>> Subject: [stunnel-users] Possible to verify client certificate BUT ignore expiration-date?
>>
>> All,
>>
>> Does anyone know if it is possible to perform all other verification of a client certificate EXCEPT allow the certificate to have expired?
>>
>> We have a vendor whose certificate has expired, and we want to allow
>> their old certificate to work while they chase their tails trying to
>> figure out the best way to re-issue a new cert for us. *eyeroll*
>>
>> Is it possible?
>>
>> Thanks,
>> -chris
>>
>>
>>
>>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190711/dc624558/attachment-0001.sig>
More information about the stunnel-users
mailing list