Commands to regenerate the CA and client certificate. Only needed when the current certs expire (2035) or are compromised. Run on pomelo. See ssl/pki for the trust model before running these.
Warning: regenerating the CA means redeploying server.pem and server.key to all managed servers and updating pomelo's /etc/stunnel/CA.pem. Regenerating only the client cert does not require server changes.
Run in ~/ssl/C/CA/. Generates a new self-signed CA cert valid for 10 years.
cd ~/ssl/C/CA
openssl genrsa -out key 4096
openssl req -new -x509 -key key -out cert -days 3653 \
-subj "/C=UK/ST=South Gloucestershire/L=Winterbourne/O=Critchley/OU=John/CN=John Critchley/emailAddress=john@critchley.biz"Run in ~/ssl/C/. Generates a client key and cert signed by the CA. Must be run after Step 1 if the CA was regenerated.
cd ~/ssl/C
openssl genrsa -out key 4096
openssl req -new -key key -out req \
-subj "/C=UK/L=Winterbourne/CN=John Critchley"
openssl x509 -req -days 3653 -out cert -in req \
-CA CA/cert -CAkey CA/key -set_serial 101After regenerating:
Servers (if CA was regenerated): re-run ansible-playbook setup_server.yml --tags stunnel -e target=<each-host> for every managed host.
Pomelo client side (always): copy updated files to /etc/stunnel/ as documented in ssl/pki under "Setting Up a New Controller", then systemctl restart stunnel4.
# Check expiry of current CA cert
openssl x509 -noout -dates -in ~/ssl/C/CA/cert
# Check expiry of current client cert
openssl x509 -noout -dates -in ~/ssl/C/cert
# Verify client cert is signed by CA
openssl verify -CAfile ~/ssl/C/CA/cert ~/ssl/C/cert