Stunnel Certificate File Format

To see how this inclusion page fits in with similar ones, perhaps see one of

Certificate Format Used by UW IMAPD and perhaps others

IncludeCertInetdFormat

Here is the format of certificate files used by stunnel , University of Washington imapd and ipopd and perhaps other servers.

Because the connections for these services are initiated by inetd, startup efficiency is important and so all necessary certificate information is placed in one file. Because the private keys are included in these files, the files must not be world-readable. In addition it seems there can be no additional data before the first -----BEGIN line or between the -----END and -----BEGIN lines--no readable certificate forms or other comments. This is in contrast to other services which do allow such comments.

root@services116.cs>2# cat stunnel.pem
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQCeSOyOK6EZIqyG1cStXwsxlNlD/RayeMjjFBgn++9OjyRF/zUm
vnXUKBHi29z8yGgnWJ2cS8qYkAlfvhsmHAuOIQh3x/nuKtvCu1/ssghNXkMmVoJL
+Zkk2QaZX0bf8TnZ0OYC3qFS9HxgRKt6FIvsblbxme4mAreQMhpwDtB/+QIDAQAB
AoGAJHvmmraPwX1uiv3HAbdAm0MV+Ufi7WxN0ZmWH9FATblMwR2cILwR6L77sHDB
NTr0Vu1kFtyZbCT3JCxrkZMxTkqX/+uSh33+NNPc7gStwFQ7LjOyO6AthOpr4OIi
GzZrkVdlfvHakc9yoU3cBSNLbPuSefC6X773bM54KtZsDOkCQQDOGTqyXe3Uz3Oo
EaGpdvTZEi4+7X38HDydybFpl7aWu2ZEXgsRbwiWmM5j5mHmQBbBfWQv4+cDQLSN
i9IFkFt3AkEAxJwFRL+BBag039NCs8Ty8NirGrncsXHW2EnU1+ifZZBinp3Bg8G8
HTZKugG/W1ThLqNupvEfa4glzeQb+b78DwJAEdcbPp9k2/wNLepAzTOP5E5vlGDo
e+9Ry/LOma5ZTtjv9FETsjGjU63sh7dEmDLKBXu+NWsL7zslpe8JghPJ5wJACLDg
5r4UZPyfgblj/HBbUNwzDBZlNA7VMXBqETU+Po4YXeyZTkq1FxF8Uiabn9zrq1Uc
IhMMkYNOMIDB39NabwJBAKogdyM76Zfgd9I1fZf8AQKZVs4C1yq0JdPW6nl0gpKK
+nMCU7RIx0mdrEsTJNyR63hdPJ/37+OjvtRefBMVowE=
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
MIIEdjCCA16gAwIBAgILAQAAAAABJ24e8gcwDQYJKoZIhvcNAQEFBQAwajEjMCEG
A1UECxMaT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gQ0ExEzARBgNVBAoTCkdsb2Jh
bFNpZ24xLjAsBgNVBAMTJUdsb2JhbFNpZ24gT3JnYW5pemF0aW9uIFZhbGlkYXRp
b24gQ0EwHhcNMTAwMzE3MjEyNDE3WhcNMTEwMzE4MjEyNDExWjByMQswCQYDVQQG
EwJDQTEQMA4GA1UECBMHT250YXJpbzERMA8GA1UEBxMIV2F0ZXJsb28xHzAdBgNV
BAoTFlVuaXZlcnNpdHkgb2YgV2F0ZXJsb28xHTAbBgNVBAMMFG1haWwuY3MudXdh
dGVybG9vLmNhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhrXXLjlNIBjkX
+FF9xV99R9dzOFNTuMvAZew18VOQzwscyVvxilVeXRjQoKB2osz22VNCof/Uf9pm
VSH5enWP5XwIUopkMG5uJGPOAPzr4smrEOVQ68VCtgR/M62iH9w6nuh1uUACgqW9
7ykzhwUZq5wntqBsnNvBszxHpUeZqwIDAQABo4IBlzCCAZMwHwYDVR0jBBgwFoAU
fW0q7Garp1E2qwJp8XCPxFkLmh8wSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzAC
hi1odHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24ubmV0L2NhY2VydC9vcmd2MS5jcnQw
PwYDVR0fBDgwNjA0oDKgMIYuaHR0cDovL2NybC5nbG9iYWxzaWduLm5ldC9Pcmdh
bml6YXRpb25WYWwxLmNybDAdBgNVHQ4EFgQUa4CiDe86Vx2LK1uGANpOHnoOtaEw
CQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwKQYDVR0lBCIwIAYIKwYBBQUHAwEG
CCsGAQUFBwMCBgorBgEEAYI3CgMDMEsGA1UdIAREMEIwQAYJKwYBBAGgMgEUMDMw
MQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuZ2xvYmFsc2lnbi5uZXQvcmVwb3NpdG9y
eS8wEQYJYIZIAYb4QgEBBAQDAgbAMB8GA1UdEQQYMBaCFG1haWwuY3MudXdhdGVy
bG9vLmNhMA0GCSqGSIb3DQEBBQUAA4IBAQAnAMxl6RKmiO6kBHkcrcNAdevfpC9h
UYN4u3XMYpsdkK03LtneRnVBVY5RBKw49WaEavJgFNXL/dGDJ1nAFSUqX/LnV6vR
wvrwArdruwNvMCOSHhTSzEI94TU8pYuqtG5JodTrVb9fGEXwmrQJp+Een974zWRE
HHQQ/NGjcBPTI+ts8BoTQaMZGEcxZ2zGHUTChbmVzjZgZPzIMSEcMGKuTAY1weGP
LyFKn7dOxIbN0lQVezCfHtSntTGaoLum5phnbsrU5qRTnVndDYSOtgS4wU2pXWal
ezqliW3+kStgu67NMOVtJP2yd3VNaDILoLme2OJiMNRTf27zyo6QAn1p
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEZzCCA0+gAwIBAgILBAAAAAABHkSl9SowDQYJKoZIhvcNAQEFBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0wNzA0MTExMjAw
MDBaFw0xNzA0MTExMjAwMDBaMGoxIzAhBgNVBAsTGk9yZ2FuaXphdGlvbiBWYWxp
ZGF0aW9uIENBMRMwEQYDVQQKEwpHbG9iYWxTaWduMS4wLAYDVQQDEyVHbG9iYWxT
aWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAoS/EvM6HA+lnwYnI5ZP8fbStnvZjTmronCxziaIB9I8h
+P0lnVgWbYb27klXdX516iIRfj37x0JB3PzFDJFVgHvrZDMdm/nKOOmrxiVDUSVA
9OR+GFVqqY8QOkAe1leD738vNC8t0vZTwhkNt+3JgfVGLLQjQl6dEwN17Opq/Fd8
yTaXO5jcExPs7EH6XTTquZPnEBZlzJyS/fXFnT5KuQn85F8eaV9N9FZyRLEdIwPI
NvZliMi/ORZFjh4mbFEWxSoAOMWkE2mVfasBO6jEFLSA2qwaRCDV/qkGexQnr+Aw
Id2Q9KnVIxkuHgPmwd+VKeTBlEPdPpCqy0vJvorTOQIDAQABo4IBHzCCARswDgYD
VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFH1tKuxm
q6dRNqsCafFwj8RZC5ofMEsGA1UdIAREMEIwQAYJKwYBBAGgMgEUMDMwMQYIKwYB
BQUHAgEWJWh0dHA6Ly93d3cuZ2xvYmFsc2lnbi5uZXQvcmVwb3NpdG9yeS8wMwYD
VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWduLm5ldC9yb290LmNy
bDARBglghkgBhvhCAQEEBAMCAgQwIAYDVR0lBBkwFwYKKwYBBAGCNwoDAwYJYIZI
AYb4QgQBMB8GA1UdIwQYMBaAFGB7ZhpFDZfKiVAvfQTNNKj//P1LMA0GCSqGSIb3
DQEBBQUAA4IBAQB5R/wV10x53w96ns7UfEtjyYm1ez+ZEuicjJpJL+BOlUrtx7y+
8aLbjpMdunFUqkvZiSIkh8UEqKyCUqBS+LjhT6EnZmMhSjnnx8VOX7LWHRNtMOnO
16IcvCkKczxbI0n+1v/KsE/18meYwEcR+LdIppAJ1kK+6rG5U0LDnCDJ+6FbtVZt
h4HIYKzEuXInCo4eqLEuzTKieFewnPiVu0OOjDGGblMNxhIFukFuqDUwCRgdAmH/
/e413mrDO9BNS05QslY2DERd2hplKuaYVqljMy4E567o9I63stp9wMjirqYoL+PJ
c738B0E0t6pu7qfb0ZM87ZDsMpKI2cgjbHQh
-----END CERTIFICATE-----
root@services116.cs>2# 

Although I based this on an actual certificate chain, I substituted an incorrect private key.

The contents are:

-----BEGIN RSA PRIVATE KEY-----
[ Private key for the host certificate immediately following ]
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
[ Host certificate (corresponds to that private key) ]
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
[ Intermediate OrganizationSSL Certificate..... ]
-----END CERTIFICATE-----

The openssl command can be used, as in openssl x509 -text, using one of the certificate portions as input. That will show a readable (well, verbose) form of the certificate. That can be useful to help be sure you are replacing the correct host certificate, and also to check the expiry date, etc. But remember that data such as that cannot be included in the installed file; it will cause the service to stop working.

Note that no Certificate Authority Certificate is included. That's because a Certificate Authority Certificate is really only meaningful if the client obtains it from a source different from the server providing the service. Note how the OrganizationSSL Intermediate Root Certificate is used to connect the host certificate to the Certificate Authority.

Note that the private key and host certificate shown are only 1024-bit; GlobalSign now requires 2048-bit keys, and so on renewal the above would be (have been) upgraded.

-- AdrianPepper - 23 Mar 2011


IncludeAdrianReferers

Referers

This topic IncludeCertInetdFormat is referred to by...
Topic revision: r7 - 2011-09-29 - AdrianPepper
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback