[stunnel-users] Cert Chain Question
Jeremie Le Hen
jeremie at le-hen.org
Thu Feb 18 11:36:14 CET 2010
On Wed, Feb 17, 2010 at 10:28:03AM -0700, Craig Kelley wrote:
> I've been attempting to include an intermediate chain for my stunnel
> setup. First, I previously used an entrust-signed certificate with
> stunnel just fine, but now I've purchased one from godaddy ($190 for 3
> certs for 5 years!). The only problem is that the server has multiple
> certificates to install. Under Apache, I solved it with this:
> SSLCertificateFile /etc/httpd/conf/ssl.crt/server.crt
> SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
> SSLCertificateChainFile /etc/httpd/conf/ssl.crt/godaddy.crt
> Which works just fine. With stunnel I attempted this configuration:
> cert = /etc/stunnel/server.crt
> key = /etc/stunnel/server.key
> CAfile = /etc/stunnel/godaddy.crt
> All those files are identical to the Apache configuration. Stunnel
> starts up, but clients loudly complain that the certificate is not valid.
> If I examine the certificate in Thunderbird (I use stunnel for IMAPS and
> POP3S), it correctly identifies the cert as being from GoDaddy and that it
> will expire in 2015. But for some reason, the chain to its root server is
> What am I doing wrong?
The way it works in stunnel is that your godaddy.crt should contain the
certificate chain up to the self-signed root CA.
Jeremie Le Hen
Humans are born free and equal. But some are more equal than the others.
More information about the stunnel-users