In these directions for configuring Stunnel on Windows the following text appears :
Copy a valid SSL public certificate to the directory "C:\Program Files
(x86)\stunnel." To make things more trouble-free, combine the public
key and private key certificates into one .PEM file.
I would love to know how to do this but those directions skip over the mechanics of it.
Can anyone show me how please ?
I'm on Windows 2016.
The certificate in question is a LetEncrypt SSL certificate which matches the domain used to access the server.
EDIT I attempted to make a .pem using the instructions from RalfFriedle below
To export it from mmc, double click the certificate, go to tab
details, export to file, press next, select Base-64 encoded X.509,
press next, select a file name, press next and finish. Although
Windows wants to add a .cer extension, this is the certificate in PEM
format
the resulting file looks like this (without my obfuscation) …
-----BEGIN CERTIFICATE-----
ZZZZZZZZZZZZZZZZZZZZZ99ZZZZ9Z/ZZ+ZZZZZ9ZZZZ9ZZ9ZZZZZZZZ9ZZZZZZZZ
ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ9ZZZZZZZZZZZZZZZZ9ZZZZZZZZZZZZ
ZZZZZZZZZZZZZZZZZZZ9ZZZ9ZZZZZZZ9ZZZZZZZZZZ9ZZZZ9ZZZZZZZ9ZZZZZZ9Z
ZZZZZZZZZZZ9ZZZZZZZZZZZZZZZZZZZZZ9Z9ZZZZZZZZZ9ZZZZZZZZZZZZZZZZZZ
9Z9ZZZZZZZZZZZ9ZZZZZZZZZZZZZZZZZZZ9Z9ZZZZZZZ9ZZZZZ9Z+Z9ZZZ9ZZ9ZZ
ZZZZZZZZZZZZZZZZZ9ZZZZZ99ZZ9ZZ9ZZZZZZ9ZZZZZZZ9Z9ZZZZ9ZZ9ZZ9ZZZ9Z
9Z9ZZZZZ9ZZZZ99ZZZZZZ9ZZZZZZZZZ/ZZZ9Z9Z9Z99ZZ99ZZZZZZ9Z9ZZZZZZZZ
9ZZZZZ9ZZZZZZZ9ZZZZ9Z9ZZZZZ9ZZZZ99ZZ9ZZ+ZZ99ZZZ99/Z9ZZZ99ZZZ9Z9Z
ZZZZZZZ9ZZZZZ9ZZ9ZZ/ZZZZZZZZZZZZZZZZZ9ZZZZZZZZZZZ9ZZZZZ9ZZZZZZ+Z
Z9Z9ZZ9ZZZ9ZZ99ZZZZZ9ZZZZZZZZZZZ9ZZZ9ZZZZ999Z9ZZZZZZZZZZZ9ZZZZZZ
ZZZZZZZZZZ9ZZZZ/ZZZZZZZZZZ9ZZ9ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
ZZZZZZZZZZZZZZ9ZZZZZZZ9ZZ9ZZZZZZZZZZ99Z9ZZZZZ9+9ZZZZZZZ9ZZZ/ZZZZ
ZZZZZZZZZZZZZZZZZZZZZZ9ZZZZZZZZZZZZZ99ZZZZZZZZZZZZZZZZZZZZZZZZZZ
ZZZZZZZZZZZZZZZZZZZ9ZZZ9ZZ9ZZ9ZZZZZZZZ99ZZ9ZZZZZZZ9ZZZZZZZ9ZZZZZ
ZZZZZZZZZZZZZZZZZ9Z9ZZZ9ZZ9ZZZZ9ZZZZZZ99ZZ9ZZZZZZZ9ZZZZZZZ9ZZZZZ
ZZZZZ9ZZZZZZZZ9ZZ9Z9ZZZZZZZZZ9ZZZZZ+ZZZZZZZZZZZZZZZZZZZZZ9ZZZZZZ
ZZZZZZZZZZZZZZZZZZZZZZZZ9ZZZZZZZZZZZZZZZZZZZZZZ9ZZZZZ9ZZZZ9ZZZZZ
ZZ9ZZZZZZZ9ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ9ZZZZZ9Z9ZZZZ
ZZZZZ99ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ9ZZ9ZZZZZZZZZZZZZZZ9ZZZ9Z
ZZZZZZ9ZZZZZZ9ZZZZ9ZZZZ9ZZZZZZZZZZZZZZZ9ZZZZZ9Z9ZZZZZ9ZZZ9ZZZZ99
ZZZZZZZZZZZ9ZZZ9ZZ9ZZZZZZZ9ZZZZZZZ9ZZZZZZZZZZ9ZZZZ9ZZZ9ZZZZZZZZZ
ZZZZZZZ9ZZZZZZZ9ZZZ9ZZZZZZZZZ9ZZZZZZZZZZZZZZZZ99ZZZZ9ZZZZZZZZZZZ
ZZZZZZZZZZZ9ZZ9ZZZZZZZZZZZZZZZZ9ZZZZZZZZZ9ZZZZZZZZZZZZ9ZZZZZZZZZ
ZZ9ZZZZZZZZZZZZZZZZZZZZZZZZZZZ99ZZZZZZZZZZZZZZZZZZZ9Z9ZZZZZZZZZZ
ZZZZZZZZZZZZZ9ZZZ9ZZZZZZZZZZZZZ+ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
ZZZZZZZZZZZ9Z9ZZZZZZ9Z9//9ZZZ9ZZ9ZZZ9ZZ/ZZZZZZZZZZZZZZZZZ9Z/+ZZZ
Z9ZZZZZZZZZZZZZZZZZZZZ9ZZZZZZZZZZZZZ9Z9ZZZZZZZZZZZZZZZZ9+ZZZ+ZZZ
ZZZZZZZZZ9ZZZZZ/ZZZZZZZZZZZZZ/ZZZZ9ZZZ+Z/ZZZZZZZZZZZZZZZZ9Z9ZZZZ
ZZZ9ZZ9Z9Z9ZZZZZZZZZZZZZZZZZZZZ9ZZZZZZZ+9ZZZZ9ZZZZZZZZZZZZZZZZ99
ZZZZZZZZ9ZZZZZ+ZZZ+ZZZZZZZZZZZ9ZZ9ZZ9ZZZZZ99ZZZZZZ9ZZZ9Z/ZZZZZZ9
9ZZZ9ZZZZ9ZZ9ZZZZ99ZZZZZZZ9Z9ZZZZZZZZ9ZZZZZZ9ZZ/Z9ZZ9ZZ9ZZZZZZZZ
Z9ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ9ZZ9Z9ZZZZZ9ZZZZZZZZZZZZZ
Z999ZZ9ZZZ==
-----END CERTIFICATE-----
When I try to make use of it the framework reports …
OpenSSL.crypto.Error: [('PEM routines', 'PEM_read_bio', 'no start line')]
I'm adding that to the question as those terms in the error don't mean much to mean but I thought it might mean something to someone reading the question.
EDIT2 Thanks to a comment by RalfFriedle I found a part of the stunnel doco I had previously overlooked which documents the structure of what it's expecting in a .pem file – it's here : https://www.stunnel.org/static/stunnel.html#CERTIFICATES .
So it looks like if I :
- take the result of the export ;
- generate a private key;
- and then combine the two into one file
it might work ! I will try that next.
EDIT3
Using the approach suggested by dave_thompson_085 I now have a working PEM ! Great !
There is one thing though which is that when it's used I get prompted for the PEM Pass Phrase. This is OK in that I was prompted to create a passphrase while running the suggested command but it's not ideal for normal use. Is there any way I do the same thing but not have a passphrase ?
This page suggests you can use openssl to remove the passphrase (https://futurestud.io/tutorials/how-to-remove-pem-password-from-ssl-certificate) but in fact that command produces a file which is no longer accepted by the process using the pem.
Would be great to hear of suggestions for how you can do that.
Also while I'm here I'll just say that when I first started using the openssl embedded in stunnel I saw warnings about not having a config file. These warnings went away when I set up an environment variable like this :
set OPENSSL_CONF=F:\bin\installed\stunnel\config\openssl.cnf
Where 'F:\bin\installed\stunnel' is where I have stunnel installed.
Another caveat for later readers. I have a copy of openssl as part of a Mingw/Git For Windows environment and I tried using that with the suggested command (because I had the window open already) and I found that it just hung. I don't know why it hung but doing what dave_thompson_085, by using the openssl embedded in stunnel, worked fine.
Best Answer
Assuming you are configuring the server end, any SSL/TLS server including stunnel (excluding some inapplicable cases) NEEDS A PRIVATE KEY AND CERTIFICATE.
If the 'certificate' in your Windows store is actually a 'certificate with private key' i.e. if is in the Personal store (not the Trusted Root CAs store) and its icon has a little yellow key at the top left (in addition to the yellow seal at the bottom right), and it was not restricted from export, you need a different process with an additional step:
First, run the export wizard (either from mmc/certmgr or from InternetOptions = inetopt.cpl / Content / Certificates) and select "Yes export the private key" which will automatically set the format to "PKCS#12 (PFX)". Give it a password and suitable filename/location; it is probably most convenient to put it in the
%programfiles*%\stunneldirectory somewhere.Second, run the openssl commandline program; there is one included in the stunnel distro for Windows (or at least was in the one I got a while back), or else there are lots of other places you can get an OpenSSL build for Windows. In a CMD window (or powershell) do:
except specify the full pathname
"(programfilesdir)\stunnel\bin\openssl"if that directory isn't either in your PATH or the working directory (which are the places Windows will find an unadorned name automatically). Use a name that identifies this cert and key in whatever fashion is convenient for you; the.pemsuffix is not required but I recommend it for clarity.This file will contain both the PEM-format certificate and PEM-format private key as suggested in the stunnel instructions. By default the private key is encrypted so you will need to enter the password every time you start stunnel; if you don't want that, and aren't worried that some miscreant can get access to this file and then use your key and cert to impersonate your server and intercept its traffic, add
-nodesto the command above.If the certificate entry in the Windows store does not contain the private key, or has the private key set to export prohibited, you can't use it. If there is no private key, then the certificate must have originally been obtained on some other system (and copied here) because you cannot obtain a cert from most CAs, and particularly LE, without having the private key. Find where it came from and get the private key from there. If the private key is present but restricted, it still may have been copied from somewhere else that you can get it from. If not, if the key was generated here and set restricted at birth, whoever did that ruined this part of your life. Go chastise them, then throw away this cert and start over and generate a new private key that is NOT restricted and get a cert for it and then use those.