i’m running radicale caldav/carddav server (version 0.9) on an internal machine. for external users i’m providing secured access using stunnel4 service on the gateway. thus i don’t have to care about the ssl stuff for all the internal services (caldav/carddav and imap/smtp as well), but only have a centralized configuration on the gateway (stunnel server). the following code shows an example for the radicale caldav/carddav serice, which runs on tcp/5232 (default):
setuid = stunnel4
setgid = stunnel4
pid = /var/run/stunnel4/stunnel4.pid
output = /var/log/stunnel4/stunnel4.log
syslog = no
debug = 7
cert = /etc/ssl/certs/server.pem
CAfile = /etc/ssl/certs/ca.pem
CApath = /etc/ssl/trusted/
CRLfile = /etc/ssl/certs/crl.pem
verify = 3
session = 14400
TIMEOUTidle = 14400
libwrap = no
accept = 5232
connect = 172.16.111.111:5232
of course you can extend the configuration for any other relevant services (smtps, imaps).
accept = 993
connect = 172.16.111.111:143
accept = 587
connect = 172.16.111.111:25
It’s just ssl-offloading with client certificate check in addition, which is fully transparent for the back-end services.
ca, client and server certificates and crl as well can be generated using the easy-rsa scripts provided by the openvpn communitiy (as @mmonaco mentioned above). apart from that, xca or tinyca2 may be usefull tools, if you’re looking for graphical ones.
I’m sorry not to be able to provide you a test account, but maybe the information above will help you to set it up on your site with less effort.
best regards, bf.