I'm experiencing a problem validating intermediate cert on our Stunnel configuration.
We are using Stunnel to forward IMAP, POP and SMTP SSL ports from our vpn server to our internal mail server. We originally used a self-signed cert on the vpn server. When clients connect via Outlook, Outlook Express, Thunderbird and various cell phone mail programs they received a warning message (Unable to verify identity of xxx) about the self-signed cert. To resolve this issue we purchased a SSL cert from Verisign to install on the vpn server.
We generated the key and CSR and received the new cert from Verisign, which also requires an intermediate cert for verification.
We have tried various methods to have the certs validated, combining the key, intermediate cert and server cert in one file, pointing to the CA_file, etc. but continue to see the Unable to verify identity message.
Has anybody else encountered this problem and found a way to resolve the problem?
Thanks in advance.
Eric McCombs
With some very fast advice, Thanks Jan, we were able to get the intermediate certificate validated and we are no longer seeing the validation warning on our PC mail clients and cell phone clients.
Here's the process we used to resolve the problem installing intermediate certs on the server.
Preparation -
For this explanation I will assume that the user has already created a private key and certificate signing request and has purchased and received their signed cert. With the signed cert Verisign will send installation instructions about where to obtain their intermediate cert ( https://www.verisign.com/support/verisign-intermediate-ca/index.html ), their instructions fail to tell you how to obtain their root certificates, the download page can be found at the following link: http://www.verisign.com/support/roots.html
With this preparation you should have the following files (note that these are sample file names, your names may vary on how you created and named them):
private key file = private.key signed cert = server-cert.crt verisign intermediate cert = intermediate.crt verisign root cert = verisign-root.crt
Solution for using cert in server mode:
With these files already saved on your system, (for explanation purposes these files will all be saved in /etc/stunnel/certs/) you will need to do the following:
1. Copy private.key to private-key.pem (Command in linux = cp /etc/stunnel/certs/private.key /etc/stunnel/certs/private-key.pem) 2. Create new file group-cert.pem in /etc/stunnel/certs/ with the contents of the cert.crt, intermediate.crt and verisign-root.crt in the following order (I used Vi to create this file):
* cert.crt contents * carriage return * intermediate.crt contents * carriage return * verisign-root.crt contents * carriage return
3. Edit the stunnel.conf file located in /etc/stunnel/ Note before working on this file I copy the original file using the following command: cp stunnel.conf stunnel.conf.org key = /etc/stunnel/certs/private-key.pem cert = /etc/stunnel/certs/group-cert.pem 4. Restart stunnel
Once restarted everything worked as desired.
Eric McCombs
-
Eric McCombs