[stunnel-users] How can I configure Intermediate Certificate

Carlos García Villate cgarcia at b-kin.com
Tue Jan 4 16:13:23 CET 2011


 Hi.

Two months ago, we installed our SSL certificate with stunnel succesfully.
That certificate was issued by Verisign. We did not experience any issues.

A few weeks ago, we had to renew that certficate and after doing that, we
started to get 'Invalid certificate' errors form our web site users. It
seems that the new certificate issued by Verisign, has changed its
hierarchy, and browsers like FF that do not have one of the necessary
intermediate certificate registered fail.

This is the new hierarchy:
- VeriSign Class 3 Public Primary Certification Authority - G5
      - VeriSign Class 3 Secure Server CA - G3
           - www.b-kin.com

It is the 'VeriSign Class 3 Secure Server CA - G3' certificate the one that
most FF browsers do not have registered, and so the browsers reject the
request with an 'Invalid certificate' message.

To solve this issue, we are trying to incorporate the 'VeriSign Class 3
Secure Server CA - G3' certificate in the .pem file, where our
www.b-kin.comcertificate is installed. We have tried to include the
Verisign certificate
first and then the other one; and the other way round, first our certificate
and then the Verisign one, but without success. The Verisign certificate has
been directly taken from the Verisign web site.

The .pem file has following structure:
Bag Attributes heading section
.....
-----BEGIN RSA PRIVATE KEY-----
.....
-----END RSA PRIVATE KEY-----
Bag Attributes heading section
-----BEGIN CERTIFICATE----- /*We have alternated to put here the
www.b-kin.com or the Verisign certificate*/
.....
-----END CERTIFICATE-----
 Bag Attributes heading section
 -----BEGIN CERTIFICATE----- /*We have alternated to put here the
www.b-kin.com or the Verisign certificate*/
.....
-----END CERTIFICATE-----

We are running stunnel on CentOS with the following configuration:

stunnel 4.32 on i686-pc-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
Threading:PTHREAD SSL:ENGINE,FIPS Sockets:POLL,IPv6 Auth:LIBWRAP
Global options
debug           = daemon.notice
pid             = /usr/local/var/run/stunnel/stunnel.pid
RNDbytes        = 64
RNDfile         = /dev/urandom
RNDoverwrite    = yes
Service-level options
cert            = /usr/local/etc/stunnel/stunnel.pem
ciphers         = FIPS
session         = 300 seconds
stack           = 65536 bytes
sslVersion      = TLSv1
TIMEOUTbusy     = 300 seconds
TIMEOUTclose    = 60 seconds
TIMEOUTconnect  = 10 seconds
TIMEOUTidle     = 43200 seconds
verify          = none

As we have seen in the documentation, it is possible to include a
certificate hierarchy in a .pem file. What we do not know is the order nor
the
values to set int Bag Attributes heading section, for the Verisign
certificate.

Best regards,

Carlos.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20110104/b53d0c05/attachment.html>


More information about the stunnel-users mailing list