With some very fast advice, Thanks Jan, we were able to get the intermediate certificate validated and we are no longer seeing the validation warning on our PC mail clients and cell phone clients.
Here's the process we used to resolve the problem installing intermediate certs on the server.
Preparation -
For this explanation I will assume that the user has already created a private key and certificate signing request and has purchased and received their signed cert. With the signed cert Verisign will send installation instructions about where to obtain their intermediate cert ( https://www.verisign.com/support/verisign-intermediate-ca/index.html ), their instructions fail to tell you how to obtain their root certificates, the download page can be found at the following link: http://www.verisign.com/support/roots.html
With this preparation you should have the following files (note that these are sample file names, your names may vary on how you created and named them):
private key file = private.key signed cert = server-cert.crt verisign intermediate cert = intermediate.crt verisign root cert = verisign-root.crt
Solution for using cert in server mode:
With these files already saved on your system, (for explanation purposes these files will all be saved in /etc/stunnel/certs/) you will need to do the following:
1. Copy private.key to private-key.pem (Command in linux = cp /etc/stunnel/certs/private.key /etc/stunnel/certs/private-key.pem) 2. Create new file group-cert.pem in /etc/stunnel/certs/ with the contents of the cert.crt, intermediate.crt and verisign-root.crt in the following order (I used Vi to create this file):
* cert.crt contents * carriage return * intermediate.crt contents * carriage return * verisign-root.crt contents * carriage return
3. Edit the stunnel.conf file located in /etc/stunnel/ Note before working on this file I copy the original file using the following command: cp stunnel.conf stunnel.conf.org key = /etc/stunnel/certs/private-key.pem cert = /etc/stunnel/certs/group-cert.pem 4. Restart stunnel
Once restarted everything worked as desired.
Eric McCombs