.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{ . if \nF \{ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "CIPUX_MKCERTKEY 1p" .TH CIPUX_MKCERTKEY 1p "2015-07-24" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" cipux_mkcertkey \- simple script to generate certificate for stunnel .SH "VERSION" .IX Header "VERSION" version 3.4.0.0 .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& cipux_mkcertkey .Ve .SH "REQUIRED ARGUMENTS" .IX Header "REQUIRED ARGUMENTS" None. .SH "ABSTRACT" .IX Header "ABSTRACT" In order to add security to your XML-RPC server you should generate a certificate. This script shows a simple method to do that. You have to take the responsibility by yourself to make sure you understand what you do. .SH "DESCRIPTION" .IX Header "DESCRIPTION" Generates a certificate and a key in /etc/cipux/stunnel. .SH "USAGE" .IX Header "USAGE" .Vb 1 \& cipux_mkcertkey .Ve .SH "OPTIONS" .IX Header "OPTIONS" None. .SH "CERTIFICATE" .IX Header "CERTIFICATE" Each \s-1SSL\s0 enabled XML-RPC server needs to present a valid X.509 certificate to the peer and it also needs a private key to decrypt the incoming data. The easiest way to obtain a certificate and a key is to generate them with the free openssl package. You can find more information on certificates generation below. The certificates must be in \s-1PEM\s0 format and must be sorted starting with the certificate to the highest level (root \s-1CA\s0) .PP Two things are important when generating the certificate-key pairs. .PP (1) Because the server has no way to obtain the password from the user, the private key cannot be encrypted. To create an unencrypted key add the \*(L"\-nodes\*(R" option when running the req command from the openssl kit. .PP (2) The order of contents of the .pem file is also important. It should contain the unencrypted private key first, then a signed certificate (not certificate request). There should be also empty lines after certificate and private key. Plaintext certificate information appended on the top of generated certificate should be discarded. So the file should look like this: .PP .Vb 8 \& \-\-\-\-\-BEGIN RSA PRIVATE KEY\-\-\-\-\- \& [encoded key] \& \-\-\-\-\-END RSA PRIVATE KEY\-\-\-\-\- \& [empty line] \& \-\-\-\-\-BEGIN CERTIFICATE\-\-\-\-\- \& [encoded certificate] \& \-\-\-\-\-END CERTIFICATE\-\-\-\-\- \& [empty line] .Ve .PP This can be stored in one file or in two files. This script stores the in to files to have the flexibility to use the certificate in other location. This to files will be created: .PP .Vb 2 \& stunnel\-cert.pem \& stunnel\-key.pem .Ve .SH "DIAGNOSTICS" .IX Header "DIAGNOSTICS" \&\s-1TODO:\s0 write explanations to the messages. .ie n .IP """Cannot find certificate configuration: %s""" 4 .el .IP "\f(CWCannot find certificate configuration: %s\fR" 4 .IX Item "Cannot find certificate configuration: %s" .PD 0 .ie n .IP """Cannot find openssl executable: %s""" 4 .el .IP "\f(CWCannot find openssl executable: %s\fR" 4 .IX Item "Cannot find openssl executable: %s" .ie n .IP """Directory to store certs do not exist: %s""" 4 .el .IP "\f(CWDirectory to store certs do not exist: %s\fR" 4 .IX Item "Directory to store certs do not exist: %s" .ie n .IP """Directory to store certs is not save!...""" 4 .el .IP "\f(CWDirectory to store certs is not save!...\fR" 4 .IX Item "Directory to store certs is not save!..." .PD .Vb 3 \& Directory to store certs is not save! \& Should be for example: \& drwx\-\-\-\-\-\- 2 root root 4096 2008\-04\-17 21:15 /etc/cipux/stunnel .Ve .ie n .IP """Cannot execute %s""" 4 .el .IP "\f(CWCannot execute %s\fR" 4 .IX Item "Cannot execute %s" .PD 0 .ie n .IP """Can not close %s""" 4 .el .IP "\f(CWCan not close %s\fR" 4 .IX Item "Can not close %s" .ie n .IP """Can not print to STDOUT!""" 4 .el .IP "\f(CWCan not print to STDOUT!\fR" 4 .IX Item "Can not print to STDOUT!" .ie n .IP """%s not known to the system!""" 4 .el .IP "\f(CW%s not known to the system!\fR" 4 .IX Item "%s not known to the system!" .PD .SH "CONFIGURATION" .IX Header "CONFIGURATION" \&\s-1TODO.\s0 .SH "DEPENDENCIES" .IX Header "DEPENDENCIES" Carp CipUX File::stat Cwd \&\s-1POSIX\s0 Readonly Fatal English version .SH "INCOMPATIBILITIES" .IX Header "INCOMPATIBILITIES" Not known. .SH "BUGS AND LIMITATIONS" .IX Header "BUGS AND LIMITATIONS" Not known. .SH "SEE ALSO" .IX Header "SEE ALSO" See the CipUX webpage and the manual at See the mailing list .SH "AUTHOR" .IX Header "AUTHOR" Christian Kuelker .SH "LICENSE AND COPYRIGHT" .IX Header "LICENSE AND COPYRIGHT" Copyright (C) 2008 by Christian Kuelker .PP This program is free software; you can redistribute it and/or modify it under the terms of the \s-1GNU\s0 General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. .PP This program is distributed in the hope that it will be useful, but \&\s-1WITHOUT ANY WARRANTY\s0; without even the implied warranty of \&\s-1MERCHANTABILITY\s0 or \s-1FITNESS FOR A PARTICULAR PURPOSE. \s0 See the \s-1GNU\s0 General Public License for more details. .PP You should have received a copy of the \s-1GNU\s0 General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, \s-1MA 02111\-1307 USA\s0