You should create one certificate for each client. In this way you will be able to revoke certificates for single clients.
OK, I'm starting to get a grasp on the bigger picture here. I re-read through some of the stunnel docs with some of your information in mind, and also through some of the docs here:
http://wiki.dovecot.org/SSL, and particularly: http://wiki.dovecot.org/SSL/CertificateCreation
From dovecot, I know, not stunnel, but had some good info about what goes in the different various files and was some good additional info.
I think I'm going to have to start from the ground up, I've got so many certs and concatenated pems and copies of crls that it's getting confusing. But I think I understand more what needs to be in each file, and more importantly WHY those things need to be there, so I will do some re-creation and test things out.
Out of curiosity, how do large corporations handle the installation of one of their certs on all of the client machines? Because it seems like that would be a pain! Like, for example, if one were to set up their mail client to handle their gmail account, how does Google make the connection to your mail client safe from a MITM attack if you've not pre-installed one of their certs? I guess perhaps because they'd have a cert built into the mail client by default?
Dave