Lets say you have an internal web server, database server, and mail at three offices on local servers using a VPN to keep it all straight. It allows you to install trust through a browser, which if you are making a private CA to make keys for a number of machines and/or services, will cut down on headaches. The point of a DER file is that it can be linked through the web, and not compromise a certificate/key pair. Openssl x509 -in certs/ca.cer -outform DER -out certs/ca.der Optionally, make a transportable DER file to import the key's recognition into systems without compromising the key: Openssl req -config nf -new -x509 -days 1095 -key keys/ca.key -out certs/ca.cer Next, do a self signed CIRtificate for three years: Stunnel will never start as a service with a machine on boot if you use a pass phrase! So one of the cirts you make will have to be without a pass phrase, or will have to have the pass phrase stripped off. This is not needed if it will only live on one machine. The pass phrase is to secure the cert from unauthorized use, and to allow it to be sent via email. However, if you are only going to make one cirt, or you may make another later but don't have any long term plans, DON'T use a pass phrase so nodes. If making a CA to do other, internally signed certificates, use a des3 passphrase, and make a second cert signed by the first for Stunnel. Openssl genrsa -nodes -out keys/ca.key 1024ĭes3 or nodes. Openssl genrsa -des3 -out keys/ca.key 1024 You could also do 2048, and other fun things. NOTE: the 1024 below is to make a 1024 bit KEY. If you want more explanation, read Dylan Beattie's guide. Now I am going to go through this part quick. Make sure you have msvcr90.dll on your system, or install the C++ runtime to get it. Otherwise, you can just run the set commands from DOS, and be done with it. If you plan on making this install of OpenSSL a long term thing, and making your own Certificate Authority to sign multiple certificates, set the variables in your path and system variables. The most recent Stunnel Binaries for Windows. If this is missing from your system, you will need to install the Microsoft Visual C++ 2008 Redistributable Package (x86).įor configuring OpenSSL, use this copy of nf or play with your own to figure it all out. The OpenSSL tools uses the Visual C++ Runtime DLL, msvcr90.dll. You can also compile your own version of the OpenSSL tools using cygwin, or mingw, but this is the fastest way. Pre-compiled OpenSSL tools for Windows from Shining Light Productions. Not all places have the same laws for using encryption, and that is all I have to say on that because I am not a legal advisor. This is for Stunnel which is being applied to hMailServer, not IIS! This guide is based off that one, but I diverge where it starts talking about IIS. One guide I found, " Creating a Self-Signed Certificate using OpenSSL for use with Microsoft Internet Information Services (IIS) 5" by Dylan Beattie, January 2003, uses more of a Microsoft file format, extensions, and so on. I have done this on Pro 2000 and XP Home, so it should work most places. So I decided that would make my own howto which would add to this one, go over creating a basic, self signed certificate with OpenSSL, and installing it in Stunnel, all inside Windows. They also all like to talk about c_rehash, which you won't need for what is being done here. In most of these, they liked calling everything a pem file. I went through more than a few guides on OpenSSL, and most were written for LINUX users. Specifically, it is missing how to create your own certificate to make Stunnel more secure. Then, when I later found the guide here, I noticed it was short on a few topics. So I went about doing so, and got it to work. Well, I thought about using Stunnel for that before I read the guide here. But what if you want to use the secure versions of those things? Well, you can wait for the next version, or do a little work yourself. The hMailServer does a great job of SMTP, POP3 and IMAP.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |