I'm trying to write a go program to connect to an stunnel server and verify the certificate but it fails because the go language requires that self-signed certs have keyCertSign set in the keyUsages.  the default stunnel.cnf does not set this.  According to the following message thread this is required by RFC 5280.