我有一个由GlobalSign为bar.com域(bar.com.crt和bar.com.key(签名的通配符证书。
我将中间证书和根GlobalSign证书连接起来,以获得我的bar.com证书捆绑包。
cat intermediate.crt root.crt > bundle.crt
我检查整个链条是否正常。这个:
openssl verify -verbose -CAfile bundle.crt bar.com.crt
给我:
bar.com.crt: OK
现在,我想用我的通配符为foo.bar.com域签署一个新证书。我创建了新的捆绑包:
cat bar.com.crt bundle.crt > fullbundle.crt
然后我生成并签署新证书:
openssl genrsa -out foo.bar.com.key 2048
openssl req -new -sha256 -key foo.bar.com.key -subj "/C=AA/ST=BB/L=CC/O=DD/CN=foo.bar.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf 'n[SAN]nsubjectAltName=DNS:%s,DNS:%s' "foo.bar.com" "anotherdns")) -out foo.bar.com.csr
openssl x509 -req -in foo.bar.com.csr -CA fullbundle.crt -CAkey bar.com.key -CAcreateserial -out foo.bar.com.crt -days 500 -sha256
但现在,当我验证新的全链:
openssl verify -verbose -CAfile fullbundle.crt foo.bar.com.crt
给我:
C = AA, ST = BB, L = CC, O = DD, CN = foo.bar.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error foo.bar.com.crt: verification failed
怎么了?
我发现我无法使用通配符签署新证书。用于签名的证书必须具有某些扩展名(https://serverfault.com/questions/749741/generate-subdomain-certificate-from-valid-wildcard-certificate)。