[stunnel-users] certificate root chain

Hans Werner Strube strube at physik3.gwdg.de
Thu Feb 9 11:17:10 CET 2006

Olivier twist wrote:
> I have a server certificate signed by GlobalSign. I don't want to use client 
> certificate.
> But if I don't put the certification chain on the CAFILE of stunnel and 
> don't set verify at 1, stunnel doesn't check the server certification chain 
> and the server certificate appears broken on client side !!!
> cert = c:\certif\inTest.crt
> key = c:\certif\inTest.key
> CAfile = c:\certif\ca.pem

AFAIK the whole certificate chain from your server certificate up to the
CA certificate should be in inTest.crt (simply concatenate the PEM files).
The CAfile would be needed for client verification only.

More information about the stunnel-users mailing list