Eric, (Coming back to this.)
On 5/14/19 14:41, Eric Eberhard wrote: > Chris, > > There are "real" certificates you purchase from a certificate authority and > pay an annual fee. If this is https you pretty much need that or the user > gets errors. By private I meant "self signed." > > However, openssl has an option to create a certificate. You type the name, > address, whatever, and it makes a certificate. It is JUST AS GOOD as a > purchased certificate (except https or perhaps others that want certificate > authority certificates). I use them for FTP and SSH and many things . > > openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 > > You can put your own expire date(days) when you make the cert. A screen will > come up and ask 20 questions :-) If you cannot do it (don't have openssl > installed) I can do it for you. It certainly will work as a stop-gap. We > don't need it for https as it is Apache on a machine that is hosted. So... everything above is exactly what we do with this vendor. We don't have a problem getting a well-known-CA to sign the certificate. We have (had) a problem with the vendor just getting the damned work done. Yes, I know it is a 5-minute process but when you are dealing with a big company where you have to have 6 managers in multiple time zones call each other to confirm the problem, have a meeting about the solution, determine a course of action, allocate a resource to perform the work, QA the solution, then get an IT review of everything before placing something into production, that 5-minute fix can take days or weeks. I just wanted to say "I still trust this certificate, even though it has expired." Is that possible to do without recompiling stunnel? Thanks, -chris > -----Original Message----- > From: stunnel-users [mailto:[email protected]] On Behalf Of > Christopher Schultz > Sent: Tuesday, May 14, 2019 6:49 AM > To: [email protected] > Subject: Re: [stunnel-users] Possible to verify client certificate BUT ignore > expiration-date? > > Eric, > > On 5/13/19 18:06, Eric Eberhard wrote: >> Use openssl to make a private cert? > > What is a "private cert"? > > Also, I need to trust an existing certificate... If they can create a new > certificate, then I can just trust the new one. I'm looking for a stop-gap > measure, here. > > Thanks, > -chris > >> -----Original Message----- >> From: stunnel-users [mailto:[email protected]] On >> Behalf Of Christopher Schultz >> Sent: Monday, May 13, 2019 2:28 PM >> To: [email protected] >> Subject: [stunnel-users] Possible to verify client certificate BUT ignore >> expiration-date? >> >> All, >> >> Does anyone know if it is possible to perform all other verification of a >> client certificate EXCEPT allow the certificate to have expired? >> >> We have a vendor whose certificate has expired, and we want to allow >> their old certificate to work while they chase their tails trying to >> figure out the best way to re-issue a new cert for us. *eyeroll* >> >> Is it possible? >> >> Thanks, >> -chris >> >> >> >> > > >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
