Hi.
Two months ago, we installed our SSL certificate with stunnel succesfully. That certificate was issued by Verisign. We did not experience any issues.
A few weeks ago, we had to renew that certficate and after doing that, we started to get 'Invalid certificate' errors form our web site users. It seems that the new certificate issued by Verisign, has changed its hierarchy, and browsers like FF that do not have one of the necessary intermediate certificate registered fail.
This is the new hierarchy: - VeriSign Class 3 Public Primary Certification Authority - G5 - VeriSign Class 3 Secure Server CA - G3 - www.b-kin.com
It is the 'VeriSign Class 3 Secure Server CA - G3' certificate the one that most FF browsers do not have registered, and so the browsers reject the request with an 'Invalid certificate' message.
To solve this issue, we are trying to incorporate the 'VeriSign Class 3 Secure Server CA - G3' certificate in the .pem file, where our www.b-kin.comcertificate is installed. We have tried to include the Verisign certificate first and then the other one; and the other way round, first our certificate and then the Verisign one, but without success. The Verisign certificate has been directly taken from the Verisign web site.
The .pem file has following structure: Bag Attributes heading section ..... -----BEGIN RSA PRIVATE KEY----- ..... -----END RSA PRIVATE KEY----- Bag Attributes heading section -----BEGIN CERTIFICATE----- /*We have alternated to put here the www.b-kin.com or the Verisign certificate*/ ..... -----END CERTIFICATE----- Bag Attributes heading section -----BEGIN CERTIFICATE----- /*We have alternated to put here the www.b-kin.com or the Verisign certificate*/ ..... -----END CERTIFICATE-----
We are running stunnel on CentOS with the following configuration:
stunnel 4.32 on i686-pc-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 Threading:PTHREAD SSL:ENGINE,FIPS Sockets:POLL,IPv6 Auth:LIBWRAP Global options debug = daemon.notice pid = /usr/local/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options cert = /usr/local/etc/stunnel/stunnel.pem ciphers = FIPS session = 300 seconds stack = 65536 bytes sslVersion = TLSv1 TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
As we have seen in the documentation, it is possible to include a certificate hierarchy in a .pem file. What we do not know is the order nor the values to set int Bag Attributes heading section, for the Verisign certificate.
Best regards,
Carlos.