05-15-2013 04:39 AM
The key point to understand is that Stingray accepts certificates and private keys in the PEM format. It does not generally accept compound PEM files, where multiple objects are in the same PEM bundle - one exception is the use of chained certificates.
PEM files are plain-text and have an easily-recognized format.
An SSL certificate in PEM format contains a header and footer, with a Base-64 encoded payload:
$ cat cert.public
An SSL private key uses a different header:
$ cat key.private
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Certificate signing requests (csr) use the header 'BEGIN NEW CERTIFICATE REQUEST', Certificate revocation lists (crl) begin 'BEGIN X509 CRL'.
Third-party systems may export certificates in other formats. For example, Windows Server exports certificates in the pkcs12 format, so if you want to place a Windows server behind Stingray, and decrypt the traffic on the Stingray, you'll need to translate the certificate into a format that Stingray understands.
The key tool to use is openssl - this swiss-army knife can translate between numerous different formats.
If you're using a Unix-like operating system (Linux, MacOSX, Solaris), openssl should be included, or will be easily installed from the package manager. If you're using Windows, you can download a binary from OpenSSL: OpenSSL Binary Distributions.
$ openssl pkcs12 -in key.p12 -nocerts -out key.pem -nodes
If you omit the -nodes flag, openssl will prompt you for an encryption password to protect your private key; Stingray does not support such encrypted keys. If you inadvertently create an encrypted key, you can generate the decrypted version as follows:
$ openssl rsa -in key.encrypted.pem -out key.pem
$ openssl pkcs12 -in key.p12 -nokeys -out cert.pem
You may encounter a key or certificate file in DER format. DER (Distinguished Encoding Rules) files are binary equivalents of the Base-64 ASCII-encoded PEM files, and are commonly used by Java applications. Files contain binary data and often use the extension .der or .cer.
$ openssl x509 -in file.cer -inform DER -outfile.pem -outform PEM
If you're using Windows, use the openssl.exe binary downloaded from the link above.
If openssl generates keys in a different format, then you can force the output format using the flag -outform PEM.
The program 'cert' is bundled with Stingray; it's a less functional alternative to OpenSSL but it is useful to verify that certificates are in a format that is fully supported by Stingray.
Get help by running 'cert --help':
root@stingray# $ZEUSHOME/admin/bin/cert --help
Usage: cert [OPTIONS]
-i, --in <filename> Input file name
-n, --new Create a new certificate/key/request
-t, --type <type> Type of file to create, public|private|request
Check that your public certificate and private key are a valid pair:
# cert -in TEST.public -key TEST.private --check
private and public key are a valid pair
Finally, if you're confused about which file is a private key, and which is a public certificate, you can dump each of them using openssl or cert:
root@stingray-1:server_keys# cert --in TEST.private --text
root@stingray-1:server_keys# cert --in TEST.public --text
Signature Algorithm: sha1withRSAEncryption
CN=ca, O=Riverbed Technology, OU=Development, L=Cambridge, C=GB
The equivalent openssl commands are:
$ openssl x509 -in cert.pem -text
$ openssl rsa -in key.pem -text