Openssl &引用;无法获取本地颁发者证书“;使用GlobalSign签名证书
我有一个由GlobalSign为Openssl &引用;无法获取本地颁发者证书“;使用GlobalSign签名证书,openssl,certificate,ssl-certificate,ca,Openssl,Certificate,Ssl Certificate,Ca,我有一个由GlobalSign为bar.com域(bar.com.crt和bar.com.key)签名的通配符证书 我将中间和根GlobalSign证书连接起来,以获得我的bar.com证书包 cat intermediate.crt root.crt > bundle.crt 我检查整个链条是否正常。这: openssl verify -verbose -CAfile bundle.crt bar.com.crt 给我: bar.com.crt: OK C = AA, ST = B
bar.com
域(bar.com.crt
和bar.com.key
)签名的通配符证书
我将中间和根GlobalSign证书连接起来,以获得我的bar.com
证书包
cat intermediate.crt root.crt > bundle.crt
我检查整个链条是否正常。这:
openssl verify -verbose -CAfile bundle.crt bar.com.crt
给我:
bar.com.crt: OK
C = AA, ST = BB, L = CC, O = DD, CN = foo.bar.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error foo.bar.com.crt: verification failed
现在,我想用我的通配符为foo.bar.com
域签署一份新证书。我创建新的捆绑包:
cat bar.com.crt bundle.crt > fullbundle.crt
然后,我生成新证书并使用以下内容签名:
openssl genrsa -out foo.bar.com.key 2048
openssl req -new -sha256 -key foo.bar.com.key -subj "/C=AA/ST=BB/L=CC/O=DD/CN=foo.bar.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf '\n[SAN]\nsubjectAltName=DNS:%s,DNS:%s' "foo.bar.com" "anotherdns")) -out foo.bar.com.csr
openssl x509 -req -in foo.bar.com.csr -CA fullbundle.crt -CAkey bar.com.key -CAcreateserial -out foo.bar.com.crt -days 500 -sha256
给我:
bar.com.crt: OK
C = AA, ST = BB, L = CC, O = DD, CN = foo.bar.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error foo.bar.com.crt: verification failed
怎么了?我发现我无法用我的通配符签署新证书。用于签名的证书必须具有一些扩展()