
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
150
|
Chapter 5: OpenSSL and Stunnel
By default, the CA.pl and CA.sh scripts create a CA certificate called cacert.pem in
the root of the CA filesystem hierarchy (e.g., /usr/local/ssl/CA/cacert.pem) and a CA
key called cakey.pem in the CA filesystem’s private/ directory (e.g., /usr/local/ssl/CA/
private/cakey.pem). The CA certificate must be copied to any host that will verify cer-
tificates signed by your CA, but make sure the CA key is never copied out of private/
and is owned and readable only by root.
Now you’re ready to create and sign your own certificates. Technically, any host run-
ning OpenSSL may generate certificates, regardless of whether it’s a CA. In practice,
however, the CA is the logical place to do this, since you won’t have to worry about
the integrity of certificates created elsewhere and transmitted over potentially
untrustworthy bandwidth. In other words, it’s a lot easier to feel good about signing
a locally generated certificate than about signing one that was emailed to the CA over
the Internet.
For Stunnel use, you’ll need certificates for each host that will act as a server. If you
plan to use SSL client-certificate authentication, you’ll also need a certificate for each
client system. Stunnel supports two types of client-certificate authentication: you can