I have a wildcard certificate signed by GlobalSign for bar.com domain (bar.com.crt and bar.com.key).
I concatenate intermediate and root GlobalSign certificates to get the bundle of my bar.com certificate.
cat intermediate.crt root.crt > bundle.crt
I check the full chain is OK. This:
openssl verify -verbose -CAfile bundle.crt bar.com.crt
Give me:
bar.com.crt: OK
Now, I want to sign a new certificate for foo.bar.com domain with my wildcard. I create the new bundle:
cat bar.com.crt bundle.crt > fullbundle.crt
Then I generate and sign the new certificate with:
openssl genrsa -out foo.bar.com.key 2048
openssl req -new -sha256 -key foo.bar.com.key -subj "/C=AA/ST=BB/L=CC/O=DD/CN=foo.bar.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf '\n[SAN]\nsubjectAltName=DNS:%s,DNS:%s' "foo.bar.com" "anotherdns")) -out foo.bar.com.csr
openssl x509 -req -in foo.bar.com.csr -CA fullbundle.crt -CAkey bar.com.key -CAcreateserial -out foo.bar.com.crt -days 500 -sha256
But now, when I verify the new full chain:
openssl verify -verbose -CAfile fullbundle.crt foo.bar.com.crt
Give me:
C = AA, ST = BB, L = CC, O = DD, CN = foo.bar.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error foo.bar.com.crt: verification failed
What's wrong ?
I found I just can't sign new certificate with my wildcard. The certificate used to sign must have some extensions (https://serverfault.com/questions/749741/generate-subdomain-certificate-from-valid-wildcard-certificate).