[stunnel-users] certificate root chain
Hans Werner Strube
strube at physik3.gwdg.de
Thu Feb 9 11:17:10 CET 2006
Olivier twist wrote:
> I have a server certificate signed by GlobalSign. I don't want to use client
> certificate.
> But if I don't put the certification chain on the CAFILE of stunnel and
> don't set verify at 1, stunnel doesn't check the server certification chain
> and the server certificate appears broken on client side !!!
...
> cert = c:\certif\inTest.crt
> key = c:\certif\inTest.key
...
> CAfile = c:\certif\ca.pem
AFAIK the whole certificate chain from your server certificate up to the
CA certificate should be in inTest.crt (simply concatenate the PEM files).
The CAfile would be needed for client verification only.
More information about the stunnel-users
mailing list