[stunnel-users] RE: question about stunnel setup

Jan Meijer jan.meijer at surfnet.nl
Wed Feb 15 20:53:16 CET 2006

On Tue, 14 Feb 2006, Anthony Cicalla wrote:

> Ok my question is from above it says to create one syslog-ng-client.pem file
> per client.  1)Do the names for each of these need to remain
> syslog-ng-client.pem or can they have names that reflect the host that they
> are on? 2) if they all need to keep that name do just move the client file
> to one client/host and then delete it from the server then move on to create
> the next?

You might want to check the configuration file manpage:

There you will find:

cert = pemfile
    certificate chain PEM file name

    A PEM is always needed in server mode. Specifying this flag in client
    mode will use this certificate chain as a client side certificate
    chain. Using client side certs is optional. The certificates must be
    in PEM format and must be sorted starting with the certificate to the
    highest level (root CA).

and as things go with files you can give them any name you so desire as
long as the filename and the name in the configuration directive that
needs it are equal.

If your question is about the naming on the server-side and you want to
use the CApath directive for verification of client certificates, naming
is not relevant but this is:

This is the directory in which stunnel will look for certificates when
using the verify. Note that the certificates in this directory should be
named XXXXXXXX.0 where XXXXXXXX is the hash value of the cert.

Hope this helps.


More information about the stunnel-users mailing list