I've been trying to set up stunnel on the firewall to accept SSL-encrypted connections and forward them to internal http addresses. This is for staff use only, so I don't care about having a certificate signed by a public CA. I do, however, want to require users to have certificates. I've finally worked out something that actually works, but as I'm relatively new to this, I wanted to pass it by the list and see whether anyone recognizes something I'm doing stupidly or something that opens me up for some type of attack other than what one could do on any SSL connection. Here's the procedure: mkdir /etc/stunnel cd /etc/stunnel Create CA key: openssl genrsa -des3 -out ca.key 2048 Create self-signed CA Certificate openssl req -new -x509 -days 365 -key ca.key -out ca.crt Create CA pem cat ca.crt ca.key > ca.pem Generate server certificate request openssl req -new -nodes -out server.csr -keyout server.key -newkey rsa:2048 Sign sign.sh server.csr enter key for ca result: server.crt Create server pem cat server.crt server.key > server.pem Generate user key (for each user) openssl genrsa -des3 -out user.key 2048 Generate certificate request openssl req -new -key user.key -out user.csr Sign sign.sh user.csr enter key for ca result: user.crt Create user.pem cat user.crt user.key > user.pem Generate pkcs12 openssl pkcs12 -export -out user.p12 -in user.crt -inkey user.key Give user.p12 to user to import into browser. Create hash symbolic links c_rehash -a /etc/stunnel Verify -- all should be okay openssl verify -CApath . ca.pem openssl verify -CApath . server.pem openssl verify -CApath . user.pem Now: stunnel -d server:server-port -a /etc/stunnel -p /etc/stunnel/server.pem -r internal:port -v 3 will create a situation in which https://server:server-port will issue a certificate and accept connections from people only with client certificates signed by its signing authority. As I said, this procedure works. Does anyone see a problem with it? Thanks for any advice. -- E. Jay Berkenbilt <[EMAIL PROTECTED]> http://www.ql.org/q/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]