I have been researching making an HTTPS connection to stunnel. Which requires an Certificate with a CA. Tried many openssl commands eventually found the reason Chrome does not recognise a CA and Client certificate needs "subject alt names".
Found the following. In the start of each section I put the link to sites I obtained the information from. I am only a novice at certificates and openssl. Usual disclaimer use at your own risk. It worked for me, required the creation of
makecert.bat
client.bat
openssl_SAN.cfg
as follows
at the start of each section have put the address of the site I obtained the information from. I removed https:// from the start of the addresses.
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GB
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = England
localityName = Locality Name (eg, city)
localityName_default = Brighton
organizationName = Organization Name (eg, company)
organizationName_default = Hallmarkdesign
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = localhost
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = yourIP.com
DNS.2 = server10.youIP.com
DNS.3 = localhost
DNS.4 = 127.0.0.1
DNS.5 = localhost.yourIP.com
DNS.6 = *.cawhoose.com
set OPENSSL_CONF=C:\stunnel\config\openssl_SAN.cnf
Rem First I made a directory under stunnel called cert1
set RANDFILE=c:\stunnel\cert1\.rnd
Rem once again modify to location of stunnel
cd c:\stunnel\bin
openssl genrsa -out c:\stunnel\cert1\ca.key
openssl req -new -x509 -days 1826 -key c:\stunnel\cert1\ca.key -out c:\stunnel\cert1\ca.crt
openssl genrsa -out c:\stunnel\cert1\ia.key 4096
openssl req -new -key c:\stunnel\cert1\ia.key -out c:\stunnel\cert1\ia.csr
openssl x509 -req -days 730 -in c:\stunnel\cert1\ia.csr -CA c:\stunnel\cert1\ca.crt -CAkey c:\stunnel\cert1\ca.key -set_serial 04 -out c:\stunnel\cert1\ia.crt -extensions req_ext -extfile c:\stunnel\config\openssl_SAN.cnf
rem in windows double clicking ia.p2on this file will start certificate import.
rem in the certificate I selected local machine then accepted the defaults.
openssl pkcs12 -export -out c:\stunnel\cert1\ia.p12 -inkey c:\stunnel\cert1\ia.key -in c:\stunnel\cert1\ia.crt -chain -CAfile c:\stunnel\cert1\ca.crt
rem now need to modify and run client.bat
Rem from stackoverflow.com/questions/54491901/how-to-generate-both-server-and-client-certificates-under-root-ca
Rem modifiy to path to loaction where file "openssl_SAN" I put it in the default location where openssl.cnf resides
Rem First I made a directory under stunnel called cert1
set OPENSSL_CONF=C:\stunnel\config\openssl_SAN.cnf
set RANDFILE=c:\stunnel\cert1\.rnd
cd c:\stunnel\bin
echo Generating RSA Private Key for Client cert1ificate
openssl genrsa -out c:\stunnel\cert1\client.key 4096
echo Generating cert1ificate Signing Request for Client cert1ificate
openssl req -new -key c:\stunnel\cert1\client.key -out c:\stunnel\cert1\client.csr
echo Generating cert1ificate for Client cert1ificate
openssl x509 -req -days 1825 -in c:\stunnel\cert1\client.csr -CA c:\stunnel\cert1\ca.crt -CAkey c:\stunnel\cert1\ca.key -set_serial 01 -out c:\stunnel\cert1\client.crt -extensions req_ext -extfile c:\stunnel\config\openssl_SAN.cnf
rem change to directory where certificates have been created
cd c:\stunnel\cert1
echo "Done"
sslVersion = TLSv1.2
TIMEOUTclose=0
client=no
accept=1440
connect=8080
cert = c:\stunnel\cert\client.crt
key = c:\stunnel\cert\client.key
CAfile = c:\stunnel\cert\ca.crt
[KitchenAp]
sslVersion = TLSv1.2
TIMEOUTclose=0
client = no
accept = 8443
connect = kitchen.cawhoose.com:80
cert = c:\stunnel\cert\client.crt
key = c:\stunnel\cert\client.key
CAfile = c:\stunnel\cert\ca.crt
[GroundAp]
sslVersion = TLSv1.2
TIMEOUTclose=0
client = no
accept = 8444
connect = ground.cawhoose.com:80
cert = c:\stunnel\cert\client.crt
key = c:\stunnel\cert\client.key
CAfile = c:\stunnel\cert\ca.crt
On the windows machine double click ia.p12 starts certificate import, I selected local machine then accepted defaults. Chrome made connection to Blue Iris without alerts and clicking the padlock show a valid certificate
Found the following. In the start of each section I put the link to sites I obtained the information from. I am only a novice at certificates and openssl. Usual disclaimer use at your own risk. It worked for me, required the creation of
makecert.bat
client.bat
openssl_SAN.cfg
as follows
at the start of each section have put the address of the site I obtained the information from. I removed https:// from the start of the addresses.
# from gist.github.com/croxton/ebfb5f3ac143cd86542788f972434c96>>>>>>>>>>>>>>>>>>>>>>Start openssl_SAN.cfg
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = GB
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = England
localityName = Locality Name (eg, city)
localityName_default = Brighton
organizationName = Organization Name (eg, company)
organizationName_default = Hallmarkdesign
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = localhost
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = yourIP.com
DNS.2 = server10.youIP.com
DNS.3 = localhost
DNS.4 = 127.0.0.1
DNS.5 = localhost.yourIP.com
DNS.6 = *.cawhoose.com
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>End of openssl_SAN.cfg
rem videos.didierstevens.com/2015/03/27/howto-make-your-own-cert-with-openssl/>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>makecet.bat
set OPENSSL_CONF=C:\stunnel\config\openssl_SAN.cnf
Rem First I made a directory under stunnel called cert1
set RANDFILE=c:\stunnel\cert1\.rnd
Rem once again modify to location of stunnel
cd c:\stunnel\bin
openssl genrsa -out c:\stunnel\cert1\ca.key
openssl req -new -x509 -days 1826 -key c:\stunnel\cert1\ca.key -out c:\stunnel\cert1\ca.crt
openssl genrsa -out c:\stunnel\cert1\ia.key 4096
openssl req -new -key c:\stunnel\cert1\ia.key -out c:\stunnel\cert1\ia.csr
openssl x509 -req -days 730 -in c:\stunnel\cert1\ia.csr -CA c:\stunnel\cert1\ca.crt -CAkey c:\stunnel\cert1\ca.key -set_serial 04 -out c:\stunnel\cert1\ia.crt -extensions req_ext -extfile c:\stunnel\config\openssl_SAN.cnf
rem in windows double clicking ia.p2on this file will start certificate import.
rem in the certificate I selected local machine then accepted the defaults.
openssl pkcs12 -export -out c:\stunnel\cert1\ia.p12 -inkey c:\stunnel\cert1\ia.key -in c:\stunnel\cert1\ia.crt -chain -CAfile c:\stunnel\cert1\ca.crt
rem now need to modify and run client.bat
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>end of makecert.bat
Rem modifiy the paths to suit your installation>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>client.bat
Rem from stackoverflow.com/questions/54491901/how-to-generate-both-server-and-client-certificates-under-root-ca
Rem modifiy to path to loaction where file "openssl_SAN" I put it in the default location where openssl.cnf resides
Rem First I made a directory under stunnel called cert1
set OPENSSL_CONF=C:\stunnel\config\openssl_SAN.cnf
set RANDFILE=c:\stunnel\cert1\.rnd
cd c:\stunnel\bin
echo Generating RSA Private Key for Client cert1ificate
openssl genrsa -out c:\stunnel\cert1\client.key 4096
echo Generating cert1ificate Signing Request for Client cert1ificate
openssl req -new -key c:\stunnel\cert1\client.key -out c:\stunnel\cert1\client.csr
echo Generating cert1ificate for Client cert1ificate
openssl x509 -req -days 1825 -in c:\stunnel\cert1\client.csr -CA c:\stunnel\cert1\ca.crt -CAkey c:\stunnel\cert1\ca.key -set_serial 01 -out c:\stunnel\cert1\client.crt -extensions req_ext -extfile c:\stunnel\config\openssl_SAN.cnf
rem change to directory where certificates have been created
cd c:\stunnel\cert1
echo "Done"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>End of client.bat
[BlueIris]>>>>>>>>>>>>>>>>>>>>>>>>>>>> stunnel.conf
sslVersion = TLSv1.2
TIMEOUTclose=0
client=no
accept=1440
connect=8080
cert = c:\stunnel\cert\client.crt
key = c:\stunnel\cert\client.key
CAfile = c:\stunnel\cert\ca.crt
[KitchenAp]
sslVersion = TLSv1.2
TIMEOUTclose=0
client = no
accept = 8443
connect = kitchen.cawhoose.com:80
cert = c:\stunnel\cert\client.crt
key = c:\stunnel\cert\client.key
CAfile = c:\stunnel\cert\ca.crt
[GroundAp]
sslVersion = TLSv1.2
TIMEOUTclose=0
client = no
accept = 8444
connect = ground.cawhoose.com:80
cert = c:\stunnel\cert\client.crt
key = c:\stunnel\cert\client.key
CAfile = c:\stunnel\cert\ca.crt
I emailed myself the ca.crt opened on my iPad double clicked which starts import. Then go to settings you should now see a selection below your name import profile. Clicked through this. Then start safari example the first time you get a warning click proceed blue iris will load. Next time there will be no warning but the padlock will be displayed. The warning will not be shown the next time>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>end of stunnel.conf
On the windows machine double click ia.p12 starts certificate import, I selected local machine then accepted defaults. Chrome made connection to Blue Iris without alerts and clicking the padlock show a valid certificate