Provided by: cipux-rpc-tools_3.4.0.9-3.1_all
NAME
cipux_mkcertkey - simple script to generate certificate for stunnel
VERSION
version 3.4.0.0
SYNOPSIS
cipux_mkcertkey
REQUIRED ARGUMENTS
None.
ABSTRACT
In order to add security to your XML-RPC server you should generate a certificate. This script shows a simple method to do that. You have to take the responsibility by yourself to make sure you understand what you do.
DESCRIPTION
Generates a certificate and a key in /etc/cipux/stunnel.
USAGE
cipux_mkcertkey
OPTIONS
None.
CERTIFICATE
Each SSL enabled XML-RPC server needs to present a valid X.509 certificate to the peer and it also needs a private key to decrypt the incoming data. The easiest way to obtain a certificate and a key is to generate them with the free openssl package. You can find more information on certificates generation below. The certificates must be in PEM format and must be sorted starting with the certificate to the highest level (root CA) Two things are important when generating the certificate-key pairs. (1) Because the server has no way to obtain the password from the user, the private key cannot be encrypted. To create an unencrypted key add the "-nodes" option when running the req command from the openssl kit. (2) The order of contents of the .pem file is also important. It should contain the unencrypted private key first, then a signed certificate (not certificate request). There should be also empty lines after certificate and private key. Plaintext certificate information appended on the top of generated certificate should be discarded. So the file should look like this: -----BEGIN RSA PRIVATE KEY----- [encoded key] -----END RSA PRIVATE KEY----- [empty line] -----BEGIN CERTIFICATE----- [encoded certificate] -----END CERTIFICATE----- [empty line] This can be stored in one file or in two files. This script stores the in to files to have the flexibility to use the certificate in other location. This to files will be created: stunnel-cert.pem stunnel-key.pem
DIAGNOSTICS
TODO: write explanations to the messages. "Cannot find certificate configuration: %s" "Cannot find openssl executable: %s" "Directory to store certs do not exist: %s" "Directory to store certs is not save!..." Directory to store certs is not save! Should be for example: drwx------ 2 root root 4096 2008-04-17 21:15 /etc/cipux/stunnel "Cannot execute %s" "Can not close %s" "Can not print to STDOUT!" "%s not known to the system!"
CONFIGURATION
TODO.
DEPENDENCIES
Carp CipUX File::stat Cwd POSIX Readonly Fatal English version
INCOMPATIBILITIES
Not known.
BUGS AND LIMITATIONS
Not known.
SEE ALSO
See the CipUX webpage and the manual at <http://www.cipux.org> See the mailing list <http://sympa.cipworx.org/wws/info/cipux-devel>
AUTHOR
Christian Kuelker <christian.kuelker@cipworx.org>
LICENSE AND COPYRIGHT
Copyright (C) 2008 by Christian Kuelker This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA