I have been researching making an HTTPS connection to stunnel. Which requires an Certificate with a CA. Tried many openssl commands eventually found the reason Chrome does not recognise a CA and Client certificate needs "subject alt names".
Found the following. In the start of each section I put the link to sites I obtained the information from. I am only a novice at certificates and openssl. Usual disclaimer use at your own risk. It worked for me, required the creation of
makecert.bat
client.bat
openssl_SAN.cfg
as follows
at the start of each section have put the address of the site I obtained the information from. I removed https:// from the start of the addresses.
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GB
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = England
localityName = Locality Name (eg, city)
localityName_default = Brighton
organizationName = Organization Name (eg, company)
organizationName_default = Hallmarkdesign
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = localhost
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = yourIP.com
DNS.2 = server10.youIP.com
DNS.3 = localhost
DNS.4 = 127.0.0.1
DNS.5 = localhost.yourIP.com
DNS.6 = *.cawhoose.com
set OPENSSL_CONF=C:\stunnel\config\openssl_SAN.cnf
Rem First I made a directory under stunnel called cert1
set RANDFILE=c:\stunnel\cert1\.rnd
Rem once again modify to location of stunnel
cd c:\stunnel\bin
openssl genrsa -out c:\stunnel\cert1\ca.key
openssl req -new -x509 -days 1826 -key c:\stunnel\cert1\ca.key -out c:\stunnel\cert1\ca.crt
openssl genrsa -out c:\stunnel\cert1\ia.key 4096
openssl req -new -key c:\stunnel\cert1\ia.key -out c:\stunnel\cert1\ia.csr
openssl x509 -req -days 730 -in c:\stunnel\cert1\ia.csr -CA c:\stunnel\cert1\ca.crt -CAkey c:\stunnel\cert1\ca.key -set_serial 04 -out c:\stunnel\cert1\ia.crt -extensions req_ext -extfile c:\stunnel\config\openssl_SAN.cnf
rem in windows double clicking ia.p2on this file will start certificate import.
rem in the certificate I selected local machine then accepted the defaults.
openssl pkcs12 -export -out c:\stunnel\cert1\ia.p12 -inkey c:\stunnel\cert1\ia.key -in c:\stunnel\cert1\ia.crt -chain -CAfile c:\stunnel\cert1\ca.crt
rem now need to modify and run client.bat
Rem from stackoverflow.com/questions/54491901/how-to-generate-both-server-and-client-certificates-under-root-ca
Rem modifiy to path to loaction where file "openssl_SAN" I put it in the default location where openssl.cnf resides
Rem First I made a directory under stunnel called cert1
set OPENSSL_CONF=C:\stunnel\config\openssl_SAN.cnf
set RANDFILE=c:\stunnel\cert1\.rnd
cd c:\stunnel\bin
echo Generating RSA Private Key for Client cert1ificate
openssl genrsa -out c:\stunnel\cert1\client.key 4096
echo Generating cert1ificate Signing Request for Client cert1ificate
openssl req -new -key c:\stunnel\cert1\client.key -out c:\stunnel\cert1\client.csr
echo Generating cert1ificate for Client cert1ificate
openssl x509 -req -days 1825 -in c:\stunnel\cert1\client.csr -CA c:\stunnel\cert1\ca.crt -CAkey c:\stunnel\cert1\ca.key -set_serial 01 -out c:\stunnel\cert1\client.crt -extensions req_ext -extfile c:\stunnel\config\openssl_SAN.cnf
rem change to directory where certificates have been created
cd c:\stunnel\cert1
echo "Done"
sslVersion = TLSv1.2
TIMEOUTclose=0
client=no
accept=1440
connect=8080
cert = c:\stunnel\cert\client.crt
key = c:\stunnel\cert\client.key
CAfile = c:\stunnel\cert\ca.crt
[KitchenAp]
sslVersion = TLSv1.2
TIMEOUTclose=0
client = no
accept = 8443
connect = kitchen.cawhoose.com:80
cert = c:\stunnel\cert\client.crt
key = c:\stunnel\cert\client.key
CAfile = c:\stunnel\cert\ca.crt
[GroundAp]
sslVersion = TLSv1.2
TIMEOUTclose=0
client = no
accept = 8444
connect = ground.cawhoose.com:80
cert = c:\stunnel\cert\client.crt
key = c:\stunnel\cert\client.key
CAfile = c:\stunnel\cert\ca.crt
I emailed myself the ca.crt opened on my iPad double clicked which starts import. Then go to settings you should now see a selection below your name import profile. Clicked through this. Then start safari example the first time you get a warning click proceed blue iris will load. Next time there will be no warning but the padlock will be displayed. The warning will not be shown the next time
On the windows machine double click ia.p12 starts certificate import, I selected local machine then accepted defaults. Chrome made connection to Blue Iris without alerts and clicking the padlock show a valid certificate
Found the following. In the start of each section I put the link to sites I obtained the information from. I am only a novice at certificates and openssl. Usual disclaimer use at your own risk. It worked for me, required the creation of
makecert.bat
client.bat
openssl_SAN.cfg
as follows
at the start of each section have put the address of the site I obtained the information from. I removed https:// from the start of the addresses.
# from gist.github.com/croxton/ebfb5f3ac143cd86542788f972434c96
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GB
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = England
localityName = Locality Name (eg, city)
localityName_default = Brighton
organizationName = Organization Name (eg, company)
organizationName_default = Hallmarkdesign
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = localhost
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = yourIP.com
DNS.2 = server10.youIP.com
DNS.3 = localhost
DNS.4 = 127.0.0.1
DNS.5 = localhost.yourIP.com
DNS.6 = *.cawhoose.com
rem videos.didierstevens.com/2015/03/27/howto-make-your-own-cert-with-openssl/
set OPENSSL_CONF=C:\stunnel\config\openssl_SAN.cnf
Rem First I made a directory under stunnel called cert1
set RANDFILE=c:\stunnel\cert1\.rnd
Rem once again modify to location of stunnel
cd c:\stunnel\bin
openssl genrsa -out c:\stunnel\cert1\ca.key
openssl req -new -x509 -days 1826 -key c:\stunnel\cert1\ca.key -out c:\stunnel\cert1\ca.crt
openssl genrsa -out c:\stunnel\cert1\ia.key 4096
openssl req -new -key c:\stunnel\cert1\ia.key -out c:\stunnel\cert1\ia.csr
openssl x509 -req -days 730 -in c:\stunnel\cert1\ia.csr -CA c:\stunnel\cert1\ca.crt -CAkey c:\stunnel\cert1\ca.key -set_serial 04 -out c:\stunnel\cert1\ia.crt -extensions req_ext -extfile c:\stunnel\config\openssl_SAN.cnf
rem in windows double clicking ia.p2on this file will start certificate import.
rem in the certificate I selected local machine then accepted the defaults.
openssl pkcs12 -export -out c:\stunnel\cert1\ia.p12 -inkey c:\stunnel\cert1\ia.key -in c:\stunnel\cert1\ia.crt -chain -CAfile c:\stunnel\cert1\ca.crt
rem now need to modify and run client.bat
Rem modifiy the paths to suit your installation
Rem from stackoverflow.com/questions/54491901/how-to-generate-both-server-and-client-certificates-under-root-ca
Rem modifiy to path to loaction where file "openssl_SAN" I put it in the default location where openssl.cnf resides
Rem First I made a directory under stunnel called cert1
set OPENSSL_CONF=C:\stunnel\config\openssl_SAN.cnf
set RANDFILE=c:\stunnel\cert1\.rnd
cd c:\stunnel\bin
echo Generating RSA Private Key for Client cert1ificate
openssl genrsa -out c:\stunnel\cert1\client.key 4096
echo Generating cert1ificate Signing Request for Client cert1ificate
openssl req -new -key c:\stunnel\cert1\client.key -out c:\stunnel\cert1\client.csr
echo Generating cert1ificate for Client cert1ificate
openssl x509 -req -days 1825 -in c:\stunnel\cert1\client.csr -CA c:\stunnel\cert1\ca.crt -CAkey c:\stunnel\cert1\ca.key -set_serial 01 -out c:\stunnel\cert1\client.crt -extensions req_ext -extfile c:\stunnel\config\openssl_SAN.cnf
rem change to directory where certificates have been created
cd c:\stunnel\cert1
echo "Done"
[BlueIris]
sslVersion = TLSv1.2
TIMEOUTclose=0
client=no
accept=1440
connect=8080
cert = c:\stunnel\cert\client.crt
key = c:\stunnel\cert\client.key
CAfile = c:\stunnel\cert\ca.crt
[KitchenAp]
sslVersion = TLSv1.2
TIMEOUTclose=0
client = no
accept = 8443
connect = kitchen.cawhoose.com:80
cert = c:\stunnel\cert\client.crt
key = c:\stunnel\cert\client.key
CAfile = c:\stunnel\cert\ca.crt
[GroundAp]
sslVersion = TLSv1.2
TIMEOUTclose=0
client = no
accept = 8444
connect = ground.cawhoose.com:80
cert = c:\stunnel\cert\client.crt
key = c:\stunnel\cert\client.key
CAfile = c:\stunnel\cert\ca.crt
I emailed myself the ca.crt opened on my iPad double clicked which starts import. Then go to settings you should now see a selection below your name import profile. Clicked through this. Then start safari example the first time you get a warning click proceed blue iris will load. Next time there will be no warning but the padlock will be displayed. The warning will not be shown the next time
On the windows machine double click ia.p12 starts certificate import, I selected local machine then accepted defaults. Chrome made connection to Blue Iris without alerts and clicking the padlock show a valid certificate
