Hi.
Two months ago, we installed our SSL certificate with stunnel-openssl
succesfully. That certificate was issued by Verisign. We did not experience
any issues.
A few weeks ago, we had to renew that certficate and after doing that, we
started to get 'Invalid certificate' errors form our web site users. It
seems that the new certificate issued by Verisign, has changed its
hierarchy, and browsers like FF that do not have one of the necessary
intermediate certificate registered fail.
This is the new hierarchy:
- VeriSign Class 3 Public Primary Certification Authority - G5
- VeriSign Class 3 Secure Server CA - G3
- www.b-kin.com
It is the 'VeriSign Class 3 Secure Server CA - G3' certificate the one that
most FF browsers do not have registered, and so the browsers reject the
request with an 'Invalid certificate' message.
To solve this issue, we are trying to incorporate the 'VeriSign Class 3
Secure Server CA - G3' certificate in the .pem file, where our
www.b-kin.comcertificate is installed. We have tried to include the
Verisign certificate
first and then the other one; and the other way round, first our certificate
and then the Verisign one, but without success. The Verisign certificate has
been directly taken from the Verisign web site.
The .pem file has following structure:
Bag Attributes heading section
.....
-----BEGIN RSA PRIVATE KEY-----
.....
-----END RSA PRIVATE KEY-----
Bag Attributes heading section
-----BEGIN CERTIFICATE----- /*We have alternated to put here the
www.b-kin.com or the Verisign certificate*/
.....
-----END CERTIFICATE-----
Bag Attributes heading section
-----BEGIN CERTIFICATE----- /*We have alternated to put here the
www.b-kin.com or the Verisign certificate*/
.....
-----END CERTIFICATE-----
As we have seen in the documentation, it is possible to include a
certificate hierarchy in a .pem file.
What are we doing wrong?
Best regards,
Carlos.
