In these directions for configuring Stunnel on Windows the following text appears :

Copy a valid SSL public certificate to the directory "C:\Program Files (x86)\stunnel." To make things more trouble-free, combine the public key and private key certificates into one .PEM file.

I would love to know how to do this but those directions skip over the mechanics of it.

Can anyone show me how please ?

I'm on Windows 2016.

The certificate in question is a LetEncrypt SSL certificate which matches the domain used to access the server.

EDIT I attempted to make a .pem using the instructions from RalfFriedle below

To export it from mmc, double click the certificate, go to tab details, export to file, press next, select Base-64 encoded X.509, press next, select a file name, press next and finish. Although Windows wants to add a .cer extension, this is the certificate in PEM format

the resulting file looks like this (without my obfuscation) ...


When I try to make use of it the framework reports ...

OpenSSL.crypto.Error: [('PEM routines', 'PEM_read_bio', 'no start line')]

I'm adding that to the question as those terms in the error don't mean much to mean but I thought it might mean something to someone reading the question.

EDIT2 Thanks to a comment by RalfFriedle I found a part of the stunnel doco I had previously overlooked which documents the structure of what it's expecting in a .pem file - it's here : https://www.stunnel.org/static/stunnel.html#CERTIFICATES .

So it looks like if I :

  • take the result of the export ;
  • generate a private key;
  • and then combine the two into one file

it might work ! I will try that next.


Using the approach suggested by dave_thompson_085 I now have a working PEM ! Great !

There is one thing though which is that when it's used I get prompted for the PEM Pass Phrase. This is OK in that I was prompted to create a passphrase while running the suggested command but it's not ideal for normal use. Is there any way I do the same thing but not have a passphrase ?

This page suggests you can use openssl to remove the passphrase (https://futurestud.io/tutorials/how-to-remove-pem-password-from-ssl-certificate) but in fact that command produces a file which is no longer accepted by the process using the pem.

Would be great to hear of suggestions for how you can do that.

Also while I'm here I'll just say that when I first started using the openssl embedded in stunnel I saw warnings about not having a config file. These warnings went away when I set up an environment variable like this :

set OPENSSL_CONF=F:\bin\installed\stunnel\config\openssl.cnf

Where 'F:\bin\installed\stunnel' is where I have stunnel installed.

Another caveat for later readers. I have a copy of openssl as part of a Mingw/Git For Windows environment and I tried using that with the suggested command (because I had the window open already) and I found that it just hung. I don't know why it hung but doing what dave_thompson_085, by using the openssl embedded in stunnel, worked fine.

  • 243
  • 1
  • 6
  • 16

2 Answers2


Assuming you are configuring the server end, any SSL/TLS server including stunnel (excluding some inapplicable cases) NEEDS A PRIVATE KEY AND CERTIFICATE.

If the 'certificate' in your Windows store is actually a 'certificate with private key' i.e. if is in the Personal store (not the Trusted Root CAs store) and its icon has a little yellow key at the top left (in addition to the yellow seal at the bottom right), and it was not restricted from export, you need a different process with an additional step:

  • First, run the export wizard (either from mmc/certmgr or from InternetOptions = inetopt.cpl / Content / Certificates) and select "Yes export the private key" which will automatically set the format to "PKCS#12 (PFX)". Give it a password and suitable filename/location; it is probably most convenient to put it in the %programfiles*%\stunnel directory somewhere.

  • Second, run the openssl commandline program; there is one included in the stunnel distro for Windows (or at least was in the one I got a while back), or else there are lots of other places you can get an OpenSSL build for Windows. In a CMD window (or powershell) do:

    openssl pkcs12 -in thep12fromWindows -out mycertandkey.pem

    except specify the full pathname "(programfilesdir)\stunnel\bin\openssl" if that directory isn't either in your PATH or the working directory (which are the places Windows will find an unadorned name automatically). Use a name that identifies this cert and key in whatever fashion is convenient for you; the .pem suffix is not required but I recommend it for clarity.

    This file will contain both the PEM-format certificate and PEM-format private key as suggested in the stunnel instructions. By default the private key is encrypted so you will need to enter the password every time you start stunnel; if you don't want that, and aren't worried that some miscreant can get access to this file and then use your key and cert to impersonate your server and intercept its traffic, add -nodes to the command above.

If the certificate entry in the Windows store does not contain the private key, or has the private key set to export prohibited, you can't use it. If there is no private key, then the certificate must have originally been obtained on some other system (and copied here) because you cannot obtain a cert from most CAs, and particularly LE, without having the private key. Find where it came from and get the private key from there. If the private key is present but restricted, it still may have been copied from somewhere else that you can get it from. If not, if the key was generated here and set restricted at birth, whoever did that ruined this part of your life. Go chastise them, then throw away this cert and start over and generate a new private key that is NOT restricted and get a cert for it and then use those.

  • 3,100
  • 1
  • 15
  • 14
  • OK this is great. I can't be 100% sure but I think this has done it . I say I can't be sure because I haven't sorted out the stunnel config properly but when I try to use the .PEM in some Twisted code Twisted doesn't complain and just starts the server ! Thank you, very helpful. There is one thing ... when I do the PFX to PEM conversion I get prompted for the 'PEM pass phrase'. I'm just going to edit the question in case there's something that can be done. Thanks again for your help , very useful. – glaucon Aug 15 '18 at 11:26
  • @glaucon: as I said, if you don't want password-based encryption on the private key in the PEM output, add option `-nodes` to the `pkcs12` command. (The spelling is counterintuitive because backwards compatibility.) – dave_thompson_085 Aug 16 '18 at 00:39
  • thank you very much for that. I had overlooked it in your original answer (it was rather late and had been a long day !) . Thanks again for your help. – glaucon Aug 18 '18 at 07:01
  • Sadly I have a Windows certificate from enterprise PKI with restricted private key. But I've used these auto-generated PKI certs to allow secured HTTPS traffic in a Remote Desktop Gateway setup (windows IIS), without needing to know the private key. Can @dave_thomspon_085 please elaborate a bit more on the "inapplicable cases" mentioned at the start of your answer? Perhaps that will explain why in my experience, Stunnel needs the private key but IIS doesn't? – goofology Apr 08 '21 at 00:25
  • 1
    @goofology: IIS needs the privatekey, but it is a program designed to run only on Windows using the Windows API which (edit) uses the privatekey in the Windows store. Stunnel is a portable program using OpenSSL which requires the privatekey in an external file, and cannot use the Windows store. – dave_thompson_085 Apr 08 '21 at 05:38
  • Seems rather obvious now. Thanks! – goofology Apr 09 '21 at 17:14

The page at Let's Encrypt contains an overview together with links to many different programs you can use to create your certificate. It should answer your question, if not you can ask a more specific question.


Most programs will get you the PEM directly from Let's encrypt. I recommend you find a way for your program to directly store the PEM file where you need it, because the certificate has to be renewed after three months.

To export it from mmc, double click the certificate, go to tab details, export to file, press next, select Base-64 encoded X.509, press next, select a file name, press next and finish. Although Windows wants to add a .cer extension, this is the certificate in PEM format.

A PEM certificate looks like this:

  • 3,008
  • 4
  • 12
  • 17
  • Thanks for your reply but I already have the certificate on the machine in question. It's visible via the Certificates MMC but the stunnel directions refer to is a .PEM file - that's not something that you can obtain from the Certificates MMC export facility. It's directions for obtaining that .PEM from my certificate that I was interested in. Thanks again. – glaucon Aug 15 '18 at 06:00
  • I added the instructions, but I don't recommend it. – RalfFriedl Aug 15 '18 at 06:10
  • Thanks RalfFriedl - I think that's just what I want - I will try it . – glaucon Aug 15 '18 at 06:16
  • Hmm - unfortunately that didn't work. I'll edit the question in a moment to explain what happened but if you have any other suggestions I would be pleased to hear them. Thanks again. – glaucon Aug 15 '18 at 08:30
  • I added an example for a certificate. Yours seems fine. Stunnel probably also expects a key. The text you quoted, "combine the public key and private key certificates into one .PEM file" indicates a bad understanding of SSL, it's the private key and the certificates containing the public key. – RalfFriedl Aug 15 '18 at 08:57
  • OK that's interesting. To be fair to the 'how to do it' text wasn't written by them. In fact I've now found the relevant part of the stunnel documentation (which I'd overlooked previously) and I'll update the question with that. Thanks again. – glaucon Aug 15 '18 at 09:11