How to use custom tls certificate private-key

[yymk158]

Describe the goal

Hello, I'm an ordinary user, not a programmer, and I can't understand how to use custom tls certificate private-key Can you elaborate on how to configure the custom TLS certificate private key?

 --tls-certificate <FILE_PATH>
      [Optional] Use custom certificate (pem) instead of the default embedded self-signed certificate.
      The certificate will be automatically reloaded if it changes

  --tls-private-key <FILE_PATH>
      [Optional] Use a custom tls key (pem, ec, rsa) that the server will use instead of the default embedded one
      The private key will be automatically reloaded if it changes

  --tls-client-ca-certs <FILE_PATH>
      [Optional] Enables mTLS (client authentication with certificate). Argument must be PEM file
      containing one or more certificates of CA's of which the certificate of clients needs to be signed with.
      The ca will be automatically reloaded if it changes

Describe what does not work

Cannot be configured

Describe your wstunnel setup

wstunnel server --restrict-http-upgrade-path-prefix "xxxxx" --tls-certificate "/etc/wstunnel/server-cert.pem" --tls-private-key "/etc/wstunnel/server-private-key" --tls-client-ca-certs "/etc/wstunnel/client-cert.pem" wss://0.0.0.0:12345

wstunnel client --restrict-http-upgrade-path-prefix "xxxxx" --tls-certificate "d:\wstunnel\client-cert.pem" --tls-private-key "d:\wstunnel\client-private-key" --tls-client-ca-certs "d:\wstunnel\server-cert.pem" -L socks5://127.0.0.1:1080 https://server-ip:12345

Desktop (please complete the following information):

ubuntu
windows10

[erebe]

Hello,

You only need to specify the certificate and private key on server side

wstunnel server --restrict-http-upgrade-path-prefix "xxxxx" --tls-certificate "/etc/wstunnel/server-cert.pem" --tls-private-key "/etc/wstunnel/server-private-key" ....

That's enough to use your own cert. Client side there is nothing to do, you can use --tls-verify-certificate if you want to be sure the cert is valid.

[yymk158]

Sorry, maybe I made a mistake I want the server and the client to authenticate to each other using the certificate key, but the connection cannot be established if the verification fails, and only my client can connect to the server Should I use this command?

wstunnel server --restrict-http-upgrade-path-prefix "xxxxx" --tls-certificate "/etc/wstunnel/server-cert.pem" --tls-private-key "/etc/wstunnel/server-private-key" --tls-client-ca-certs "/etc/wstunnel/client-cert.pem" wss://0.0.0.0:12345

wstunnel client --restrict-http-upgrade-path-prefix "xxxxx" --tls-private-key "d:\wstunnel\client-private-key" --tls-verify-certificate -L socks5://127.0.0.1:1080 https://server-ip:12345/

[erebe]

hello, if you want to use mutual TLS authentification, you can follow this guide https://github.com/erebe/wstunnel/blob/main/docs/using_mtls.md It explains how to setup everything.

[yymk158]

./wstunnel server --restrict-http-upgrade-path-prefix "xxxx" --tls-certificate "/abc/11cert.pem" --tls-private-key "/abc/11key.pem" --tls-client-ca-certs "/abc/22cert.pem" wss://0.0.0.0:xxx

thread 'main' panicked at src/main Cannot load tls certificate: No such file or directory (os error 2) note: run with RUST_BACKTRACE=1 environment variable to display a backtrace

Using this command shows an error that cannot be loaded The certificate name and path have been confirmed Don't know why the certificate can't be loaded

[erebe]

it seems the file does not exist at location /abc/11cert.pem.

[yymk158]

Something is wrong？

openssl req -x509 -newkey rsa:4096 -keyout ca.key.pem -out ca.pem -days 3650 -nodes openssl req -newkey rsa:4096 -keyout server.key.pem -out server.pem -nodes openssl x509 -req -in server.pem -CA ca.pem -CAkey ca.key.pem -CAcreateserial -out server.crt.pem -days 3650

wstunnel server --tls-certificate "/xxx/server.crt.pem" --tls-private-key "/xxx/server.key.pem" --tls-client-ca-certs "/xx/ca.pem" wss://0.0.0.0:xxx