[stunnel-users] Is it usual/recommended to have key and cert in ONE stunnel.pem file?

Ben Stover bxstover at yahoo.co.uk
Tue Oct 29 08:31:37 CET 2013


Hello John,

thank you for your clarification.
Two more additional questions:

According to stunnel guide I created a cert + key with the following command:

openssl.exe req -new -x509 -days 3650 -nodes -config stunnel.cnf -out stunnelcert.pem -keyout stunnelkey.pem

1.) For what do I need here the 

-config stunnel.cnf

parameter? I am prompted by openssl for the content values during generation anyway.
Can stunnel.cnf be seen only as a default value pattern for the created cert during generation?
Can I omit this parameter?

2.) After creation of cert+key I have to specify them (as client) in stunnel.conf (with "o") as follows:

cert = stunnelcert.pem
key = stunnelkey.pem

Is this sufficient?

Thank you
Ben


On Mon, Oct 28, 2013 at 06:39:15PM +0100, Ben Stover wrote:
> According to some tutorial pages I generated with OpenSSL a (selfsigned) certificate.
> 
> This file stunnel.pem contains the certifictae as well as the private key.
> 
> Is this usual/recommended?
Hello John,


That sort of falls into the "tragedy waiting to happen" category. The
certificate is supposed to be given to clients, and the key belongs to the
server and has to be kept private or there's really no point in using SSL.

> Or should user put these two parts in two independent files?

Yes, absolutely. In fact I suppose you're using Windows or went through some
hoop-jumping to combine them, because in "normal" OpenSSL usage the key is
generated first and then the certs are requested and signed by the CA (or
selfsigning) key.

/jl












More information about the stunnel-users mailing list