The stunnel source comes with an stunnel.pem file. You can use this file if you wish. However it is not suggested. Everyone on the net has access to this pem file, thus everyone has access to this private data. The security of your SSL connection requires that no one else has access to this private data.
Let me repeat:
It is a bad idea to use thestunnel.pemfile shipped with stunnel except for testing.
After testing out stunnel, you should generate your own key.
To do so, simply do a
make cert
This will run the following commands:
openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pemThis creates a private key, and self-signed certificate. The arguments mean:
- -days 365
- make this key valid for 1 year, after which it's not to be used any more
- -new
- Generate a new key
- -x509
- Generate an X509 certificate (self sign)
- -nodes
- Don't put a password on this key.
- -config
stunnel.cnf - the OpenSSL configuration file to use
- -out
stunnel.pem - where to put the SSL certificate
- -keyout
stunnel.pem - put the key in this file
This command will ask you the following questions:
Question Example Answers Country name PL, UK, US, CA State or Province name Illinois, Ontario Locality Chicago, Toronto Organization Name Bill's Meats, Acme Anvils Organizational Unit Name Ecommerce Division Common Name (FQDN) www.example.com Important Note: The Common Name (FQDN) should be the hostname of the machine running stunnel. If you can access the machine by more than one hostname some SSL clients will warn you that the certificate is being used on the wrong host, so it's best to have this match the hostname users will be accessing.
openssl gendh 512 >> stunnel.pemThis generates Diffie-Hellman parameters, and appends them to the pem file. These are only needed if you specifically compile stunnel to use DH, which is not the default.
openssl x509 -subject -dates -fingerprint -in stunnel.pem
This command merely prints out information about your certificate to the screen.