Discussion:
[stunnel-users] Support for multiple root CAs
Tom Bentley
2018-12-07 14:36:52 UTC
Permalink
Hi,

I'm using stunnel to secure communication between nodes in a cluster, using
a self-signed CA to sign the server certs and the `verify = 2` config
parameter. This works great. What I want to be able to do is replace the CA
key and certificate without breaking the cluster. How I thought this should
work would be:

1. Configure the stunnels to trust both the old and new CA certificates
while the nodes continued to use server certificates signed by the old CA
key.
2. Switch to using using server certifcates signed by the new CA key.
3. Finally remove trust in the old CA certificate.

I'd tried this by putting both CA certificates in a single file and using
`CAfile` config parameter, and also by using the `CApath` config parameter
with both root CA certificates in the configured directory, but I've not
been able to get this to work while keeping `verify = 2`. It does work if I
temporary use `verify = 0`, but obviously that means I've not got TLS
authentication duration the duration of the process.

Can anyone confirm whether stunnel supports this use case, and if so
suggest where I might be going wrong?

Many thanks,

Tom

Loading...