Provided by: cipux-rpc-tools_3.4.0.9-3_all bug

NAME

       cipux_mkcertkey - simple script to generate certificate for stunnel

VERSION

       version 3.4.0.0

SYNOPSIS

               cipux_mkcertkey

REQUIRED ARGUMENTS

       None.

ABSTRACT

       In order to add security to your XML-RPC server you should generate a certificate. This
       script shows a simple method to do that. You have to take the responsibility by yourself
       to make sure you understand what you do.

DESCRIPTION

       Generates a certificate and a key in /etc/cipux/stunnel.

USAGE

        cipux_mkcertkey

OPTIONS

       None.

CERTIFICATE

       Each SSL enabled XML-RPC server needs to present a valid X.509 certificate to the peer and
       it also needs a private key to decrypt the incoming data.  The easiest way to obtain a
       certificate and a key is to generate them with the free openssl package. You can find more
       information on certificates generation below.  The certificates must be in PEM format and
       must be sorted starting with the certificate to the highest level (root CA)

       Two things are important when generating the certificate-key pairs.

       (1) Because the server has no way to obtain the password from the user, the private key
       cannot be encrypted.  To create an unencrypted key add the "-nodes" option when running
       the req command from the openssl kit.

       (2) The order of contents of the .pem file is also important. It should contain the
       unencrypted private key first, then a signed certificate (not certificate request). There
       should be also empty lines after certificate and private key.  Plaintext certificate
       information appended on the top of generated certificate should be discarded. So the file
       should look like this:

                    -----BEGIN RSA PRIVATE KEY-----
                    [encoded key]
                    -----END RSA PRIVATE KEY-----
                    [empty line]
                    -----BEGIN CERTIFICATE-----
                    [encoded certificate]
                    -----END CERTIFICATE-----
                    [empty line]

       This can be stored in one file or in two files. This script stores the in to files to have
       the flexibility to use the certificate in other location. This to files will be created:

        stunnel-cert.pem
        stunnel-key.pem

DIAGNOSTICS

       TODO: write explanations to the messages.

       "Cannot find certificate configuration: %s"
       "Cannot find openssl executable: %s"
       "Directory to store certs do not exist: %s"
       "Directory to store certs is not save!..."
            Directory to store certs is not save!
            Should be for example:
            drwx------ 2 root root 4096 2008-04-17 21:15 /etc/cipux/stunnel

       "Cannot execute %s"
       "Can not close %s"
       "Can not print to STDOUT!"
       "%s not known to the system!"

CONFIGURATION

       TODO.

DEPENDENCIES

       Carp CipUX File::stat Cwd POSIX Readonly Fatal English version

INCOMPATIBILITIES

       Not known.

BUGS AND LIMITATIONS

       Not known.

SEE ALSO

       See the CipUX webpage and the manual at <http://www.cipux.org> See the mailing list
       http://sympa.cipworx.org/wws/info/cipux-devel <http://sympa.cipworx.org/wws/info/cipux-
       devel>

AUTHOR

       Christian Kuelker  <christian.kuelker@cipworx.org>

LICENSE AND COPYRIGHT

       Copyright (C) 2008 by Christian Kuelker

       This program is free software; you can redistribute it and/or modify it under the terms of
       the GNU General Public License as published by the Free Software Foundation; either
       version 2, or (at your option) any later version.

       This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
       without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
       See the GNU General Public License for more details.

       You should have received a copy of the GNU General Public License along with this program;
       if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston,
       MA 02111-1307 USA