TWiki>
CF Web>CertMaintenanceCollapsed>IncludeCertUpdateCertificate>IncludeCertInetdFormat (2011-09-29, AdrianPepper)
EditAttach
CF Web>CertMaintenanceCollapsed>IncludeCertUpdateCertificate>IncludeCertInetdFormat (2011-09-29, AdrianPepper) EditAttachStunnel Certificate File Format
To see how this inclusion page fits in with similar ones, perhaps see one ofCertificate Format Used by UW IMAPD and perhaps others
| IncludeCertInetdFormat |
stunnel
,
University of Washington imapd and ipopd and perhaps other servers.
Because the connections for these services are initiated by inetd,
startup efficiency is important
and so all necessary certificate information is placed in one file.
Because the private keys are included in these files, the
files must not be world-readable.
In addition it seems there can be no additional data before the first
-----BEGIN line
or
between the -----END and -----BEGIN lines--no readable certificate
forms or other comments. This is in contrast to other services which
do allow such comments.
root@services116.cs>2# cat stunnel.pem -----BEGIN RSA PRIVATE KEY----- MIICXAIBAAKBgQCeSOyOK6EZIqyG1cStXwsxlNlD/RayeMjjFBgn++9OjyRF/zUm vnXUKBHi29z8yGgnWJ2cS8qYkAlfvhsmHAuOIQh3x/nuKtvCu1/ssghNXkMmVoJL +Zkk2QaZX0bf8TnZ0OYC3qFS9HxgRKt6FIvsblbxme4mAreQMhpwDtB/+QIDAQAB AoGAJHvmmraPwX1uiv3HAbdAm0MV+Ufi7WxN0ZmWH9FATblMwR2cILwR6L77sHDB NTr0Vu1kFtyZbCT3JCxrkZMxTkqX/+uSh33+NNPc7gStwFQ7LjOyO6AthOpr4OIi GzZrkVdlfvHakc9yoU3cBSNLbPuSefC6X773bM54KtZsDOkCQQDOGTqyXe3Uz3Oo EaGpdvTZEi4+7X38HDydybFpl7aWu2ZEXgsRbwiWmM5j5mHmQBbBfWQv4+cDQLSN i9IFkFt3AkEAxJwFRL+BBag039NCs8Ty8NirGrncsXHW2EnU1+ifZZBinp3Bg8G8 HTZKugG/W1ThLqNupvEfa4glzeQb+b78DwJAEdcbPp9k2/wNLepAzTOP5E5vlGDo e+9Ry/LOma5ZTtjv9FETsjGjU63sh7dEmDLKBXu+NWsL7zslpe8JghPJ5wJACLDg 5r4UZPyfgblj/HBbUNwzDBZlNA7VMXBqETU+Po4YXeyZTkq1FxF8Uiabn9zrq1Uc IhMMkYNOMIDB39NabwJBAKogdyM76Zfgd9I1fZf8AQKZVs4C1yq0JdPW6nl0gpKK +nMCU7RIx0mdrEsTJNyR63hdPJ/37+OjvtRefBMVowE= -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIEdjCCA16gAwIBAgILAQAAAAABJ24e8gcwDQYJKoZIhvcNAQEFBQAwajEjMCEG A1UECxMaT3JnYW5pemF0aW9uIFZhbGlkYXRpb24gQ0ExEzARBgNVBAoTCkdsb2Jh bFNpZ24xLjAsBgNVBAMTJUdsb2JhbFNpZ24gT3JnYW5pemF0aW9uIFZhbGlkYXRp b24gQ0EwHhcNMTAwMzE3MjEyNDE3WhcNMTEwMzE4MjEyNDExWjByMQswCQYDVQQG EwJDQTEQMA4GA1UECBMHT250YXJpbzERMA8GA1UEBxMIV2F0ZXJsb28xHzAdBgNV BAoTFlVuaXZlcnNpdHkgb2YgV2F0ZXJsb28xHTAbBgNVBAMMFG1haWwuY3MudXdh dGVybG9vLmNhMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDhrXXLjlNIBjkX +FF9xV99R9dzOFNTuMvAZew18VOQzwscyVvxilVeXRjQoKB2osz22VNCof/Uf9pm VSH5enWP5XwIUopkMG5uJGPOAPzr4smrEOVQ68VCtgR/M62iH9w6nuh1uUACgqW9 7ykzhwUZq5wntqBsnNvBszxHpUeZqwIDAQABo4IBlzCCAZMwHwYDVR0jBBgwFoAU fW0q7Garp1E2qwJp8XCPxFkLmh8wSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzAC hi1odHRwOi8vc2VjdXJlLmdsb2JhbHNpZ24ubmV0L2NhY2VydC9vcmd2MS5jcnQw PwYDVR0fBDgwNjA0oDKgMIYuaHR0cDovL2NybC5nbG9iYWxzaWduLm5ldC9Pcmdh bml6YXRpb25WYWwxLmNybDAdBgNVHQ4EFgQUa4CiDe86Vx2LK1uGANpOHnoOtaEw CQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAwKQYDVR0lBCIwIAYIKwYBBQUHAwEG CCsGAQUFBwMCBgorBgEEAYI3CgMDMEsGA1UdIAREMEIwQAYJKwYBBAGgMgEUMDMw MQYIKwYBBQUHAgEWJWh0dHA6Ly93d3cuZ2xvYmFsc2lnbi5uZXQvcmVwb3NpdG9y eS8wEQYJYIZIAYb4QgEBBAQDAgbAMB8GA1UdEQQYMBaCFG1haWwuY3MudXdhdGVy bG9vLmNhMA0GCSqGSIb3DQEBBQUAA4IBAQAnAMxl6RKmiO6kBHkcrcNAdevfpC9h UYN4u3XMYpsdkK03LtneRnVBVY5RBKw49WaEavJgFNXL/dGDJ1nAFSUqX/LnV6vR wvrwArdruwNvMCOSHhTSzEI94TU8pYuqtG5JodTrVb9fGEXwmrQJp+Een974zWRE HHQQ/NGjcBPTI+ts8BoTQaMZGEcxZ2zGHUTChbmVzjZgZPzIMSEcMGKuTAY1weGP LyFKn7dOxIbN0lQVezCfHtSntTGaoLum5phnbsrU5qRTnVndDYSOtgS4wU2pXWal ezqliW3+kStgu67NMOVtJP2yd3VNaDILoLme2OJiMNRTf27zyo6QAn1p -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEZzCCA0+gAwIBAgILBAAAAAABHkSl9SowDQYJKoZIhvcNAQEFBQAwVzELMAkG A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0wNzA0MTExMjAw MDBaFw0xNzA0MTExMjAwMDBaMGoxIzAhBgNVBAsTGk9yZ2FuaXphdGlvbiBWYWxp ZGF0aW9uIENBMRMwEQYDVQQKEwpHbG9iYWxTaWduMS4wLAYDVQQDEyVHbG9iYWxT aWduIE9yZ2FuaXphdGlvbiBWYWxpZGF0aW9uIENBMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAoS/EvM6HA+lnwYnI5ZP8fbStnvZjTmronCxziaIB9I8h +P0lnVgWbYb27klXdX516iIRfj37x0JB3PzFDJFVgHvrZDMdm/nKOOmrxiVDUSVA 9OR+GFVqqY8QOkAe1leD738vNC8t0vZTwhkNt+3JgfVGLLQjQl6dEwN17Opq/Fd8 yTaXO5jcExPs7EH6XTTquZPnEBZlzJyS/fXFnT5KuQn85F8eaV9N9FZyRLEdIwPI NvZliMi/ORZFjh4mbFEWxSoAOMWkE2mVfasBO6jEFLSA2qwaRCDV/qkGexQnr+Aw Id2Q9KnVIxkuHgPmwd+VKeTBlEPdPpCqy0vJvorTOQIDAQABo4IBHzCCARswDgYD VR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0OBBYEFH1tKuxm q6dRNqsCafFwj8RZC5ofMEsGA1UdIAREMEIwQAYJKwYBBAGgMgEUMDMwMQYIKwYB BQUHAgEWJWh0dHA6Ly93d3cuZ2xvYmFsc2lnbi5uZXQvcmVwb3NpdG9yeS8wMwYD VR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWduLm5ldC9yb290LmNy bDARBglghkgBhvhCAQEEBAMCAgQwIAYDVR0lBBkwFwYKKwYBBAGCNwoDAwYJYIZI AYb4QgQBMB8GA1UdIwQYMBaAFGB7ZhpFDZfKiVAvfQTNNKj//P1LMA0GCSqGSIb3 DQEBBQUAA4IBAQB5R/wV10x53w96ns7UfEtjyYm1ez+ZEuicjJpJL+BOlUrtx7y+ 8aLbjpMdunFUqkvZiSIkh8UEqKyCUqBS+LjhT6EnZmMhSjnnx8VOX7LWHRNtMOnO 16IcvCkKczxbI0n+1v/KsE/18meYwEcR+LdIppAJ1kK+6rG5U0LDnCDJ+6FbtVZt h4HIYKzEuXInCo4eqLEuzTKieFewnPiVu0OOjDGGblMNxhIFukFuqDUwCRgdAmH/ /e413mrDO9BNS05QslY2DERd2hplKuaYVqljMy4E567o9I63stp9wMjirqYoL+PJ c738B0E0t6pu7qfb0ZM87ZDsMpKI2cgjbHQh -----END CERTIFICATE----- root@services116.cs>2#Although I based this on an actual certificate chain, I substituted an incorrect private key. The contents are:
-----BEGIN RSA PRIVATE KEY----- [ Private key for the host certificate immediately following ] -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- [ Host certificate (corresponds to that private key) ] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [ Intermediate OrganizationSSL Certificate..... ] -----END CERTIFICATE-----The openssl command can be used, as in
openssl x509 -text, using one of the certificate
portions as input.
That will show a readable (well, verbose) form
of the certificate.
That can be useful to help be sure you are replacing the correct
host certificate, and also to check the expiry date, etc.
But remember that data such as that cannot be included in the installed
file; it will cause the service to stop working.
Note that no Certificate Authority Certificate is included.
That's because a Certificate Authority Certificate is really only meaningful if
the client obtains it from a source different from the server providing the
service. Note how the OrganizationSSL Intermediate Root Certificate is used to connect the host certificate to the Certificate Authority.
Note that the private key and host certificate shown are only 1024-bit;
GlobalSign now requires 2048-bit keys, and so on renewal the above would
be (have been) upgraded.
-- AdrianPepper - 23 Mar 2011
| IncludeAdrianReferers |
Referers
This topic IncludeCertInetdFormat is referred to by...Topic revision: r7 - 2011-09-29 - AdrianPepper
Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.
- CF Web
- CF Web Home
- Changes
- Index
- Search
- Administration
- Communication
- Hardware
- HelpDeskGuide
- Infrastructure
- InternalProjects
- Linux
- MachineNotes
- Macintosh
- Management
- Networking
- Printing
- Research
- Security
- Software
- Solaris
- StaffStuff
- TaskGroups
- TermGoals
- Teaching
- UserSupport
- Vendors
- Windows
- XHier
- Other Webs
- My links
 |
|
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback