Kroko Just another WordPress weblog

April 14, 2008

Genererating the stunnel private key (pem)

Filed under: Uncategorized — admin @ 1:11 am

The stunnel source comes with an stunnel.pem file. You can use this file if you wish. However it is not suggested. Everyone on the net has access to this pem file, thus everyone has access to this private data. The security of your SSL connection requires that no one else has access to this private data.

Let me repeat:


It is a bad idea to use the stunnel.pem file shipped with stunnel except for testing.

After testing out stunnel, you should generate your own key.

To do so, simply do a

	make cert 

This will run the following commands:

  • openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem

    This creates a private key, and self-signed certificate. The arguments mean:

    -days 365
    make this key valid for 1 year, after which it's not to be used any more
    -new
    Generate a new key
    -x509
    Generate an X509 certificate (self sign)
    -nodes
    Don't put a password on this key.
    -config stunnel.cnf
    the OpenSSL configuration file to use
    -out stunnel.pem
    where to put the SSL certificate
    -keyout stunnel.pem
    put the key in this file

    This command will ask you the following questions:

    Question Example Answers
    Country name PL, UK, US, CA
    State or Province name Illinois, Ontario
    Locality Chicago, Toronto
    Organization Name Bill's Meats, Acme Anvils
    Organizational Unit Name Ecommerce Division
    Common Name (FQDN) www.example.com

    Important Note: The Common Name (FQDN) should be the hostname of the machine running stunnel. If you can access the machine by more than one hostname some SSL clients will warn you that the certificate is being used on the wrong host, so it's best to have this match the hostname users will be accessing.

  • openssl gendh 512 >> stunnel.pem

    This generates Diffie-Hellman parameters, and appends them to the pem file. These are only needed if you specifically compile stunnel to use DH, which is not the default.

  • openssl x509 -subject -dates -fingerprint -in stunnel.pem
    This command merely prints out information about your certificate to the screen.

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment

Powered by WordPress