
This is the Title of the Book, eMatter Edition
Copyright © 2007 O’Reilly & Associates, Inc. All rights reserved.
154
|
Chapter 5: OpenSSL and Stunnel
2. Create a single, combined key+certificate file with this command:
openssl req -x509 -newkey rsa:1024 -days 365 -keyout stunnel.pem -out stunnel.pem
3. The only new flag, here, is -x509, which specifies that the new certificate should
be in X.509 format. (It’s required for self-signed certificates to work with Stun-
nel, but not for CA-signed certificates.) Other than now checking to ensure that
your new certificate has appropriate filesystem permissions (0600, or
-rw-------),
you’re done!
Client certificates
Creating certificates for Stunnel client systems, which again is necessary only if you
wish to use client-certificate authentication on your Stunnel server, is no different
from creating server certificates. Note that unless you use openssl’s
-nodes flag when
you create your client certificate, you’ll need to enter the correct passphrase to start
an Stunnel client daemon. But after the daemon starts, any local user on your client
machine can use the resulting tunnel.
*
(Authentication required by the application
being tunneled, however, will still apply.)
From an Stunnel server’s perspective, the client certificate effectively
authenticates the Stunnel client system and not the tunneled applica-
tion’s users per se. This is true of any server application ...