[stunnel-users] Intermediate Cert validation problem

Eric McCombs seattime at sbcglobal.net
Thu Feb 1 00:35:38 CET 2007

With some very fast advice, Thanks Jan, we were able to get the 
intermediate certificate validated and we are no longer seeing the 
validation warning on our PC mail clients and cell phone clients.

Here's the process we used to resolve the problem installing 
intermediate certs on the server.

Preparation -

For this explanation I will assume that the user has already created a 
private key and certificate signing request and has purchased and 
received their signed cert. With the signed cert Verisign will send 
installation instructions about where to obtain their intermediate cert 
( https://www.verisign.com/support/verisign-intermediate-ca/index.html 
), their instructions fail to tell you how to obtain their root 
certificates, the download page can be found at the following link: 

With this preparation you should have the following files (note that 
these are sample file names, your names may vary on how you created and 
named them):

private key file =  private.key
signed cert = server-cert.crt
verisign intermediate cert = intermediate.crt
verisign root cert = verisign-root.crt

Solution for using cert in server mode:

With these files already saved on your system, (for explanation purposes 
these files will all be saved in /etc/stunnel/certs/) you will need to 
do the following:

1. Copy private.key to private-key.pem  (Command in linux =   cp 
/etc/stunnel/certs/private.key /etc/stunnel/certs/private-key.pem)
2. Create new file group-cert.pem in /etc/stunnel/certs/ with the 
contents of the cert.crt, intermediate.crt and verisign-root.crt in the 
following order (I used Vi to create this file):

    * cert.crt contents
    * carriage return
    * intermediate.crt contents
    * carriage return
    * verisign-root.crt contents
    * carriage return

3. Edit the stunnel.conf file located in /etc/stunnel/   Note before 
working on this file I copy the original file using the following 
command:  cp stunnel.conf stunnel.conf.org 
key = /etc/stunnel/certs/private-key.pem
cert = /etc/stunnel/certs/group-cert.pem
4. Restart stunnel

Once restarted everything worked as desired.

Eric McCombs

More information about the stunnel-users mailing list