"unable to get local issuer certificate" 具有 GlobalSign 签名证书
"unable to get local issuer certificate" with GlobalSign signed certificate
我有 GlobalSign 为 bar.com 域(bar.com.crt 和 bar.com.key)签署的通配符证书。
我连接中间和根 GlobalSign 证书以获得我的 bar.com 证书的捆绑包。
cat intermediate.crt root.crt > bundle.crt
我检查了整个链条是否正常。这个:
openssl verify -verbose -CAfile bundle.crt bar.com.crt
给我:
bar.com.crt: OK
现在,我想用我的通配符为 foo.bar.com 域签署一个新证书。我创建新包:
cat bar.com.crt bundle.crt > fullbundle.crt
然后我生成并签署新证书:
openssl genrsa -out foo.bar.com.key 2048
openssl req -new -sha256 -key foo.bar.com.key -subj "/C=AA/ST=BB/L=CC/O=DD/CN=foo.bar.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf '\n[SAN]\nsubjectAltName=DNS:%s,DNS:%s' "foo.bar.com" "anotherdns")) -out foo.bar.com.csr
openssl x509 -req -in foo.bar.com.csr -CA fullbundle.crt -CAkey bar.com.key -CAcreateserial -out foo.bar.com.crt -days 500 -sha256
但是现在,当我验证新的完整链时:
openssl verify -verbose -CAfile fullbundle.crt foo.bar.com.crt
给我:
C = AA, ST = BB, L = CC, O = DD, CN = foo.bar.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error foo.bar.com.crt: verification failed
怎么了?
我发现我无法使用我的通配符签署新证书。用于签名的证书必须具有一些扩展名 (https://serverfault.com/questions/749741/generate-subdomain-certificate-from-valid-wildcard-certificate)。
我有 GlobalSign 为 bar.com 域(bar.com.crt 和 bar.com.key)签署的通配符证书。
我连接中间和根 GlobalSign 证书以获得我的 bar.com 证书的捆绑包。
cat intermediate.crt root.crt > bundle.crt
我检查了整个链条是否正常。这个:
openssl verify -verbose -CAfile bundle.crt bar.com.crt
给我:
bar.com.crt: OK
现在,我想用我的通配符为 foo.bar.com 域签署一个新证书。我创建新包:
cat bar.com.crt bundle.crt > fullbundle.crt
然后我生成并签署新证书:
openssl genrsa -out foo.bar.com.key 2048
openssl req -new -sha256 -key foo.bar.com.key -subj "/C=AA/ST=BB/L=CC/O=DD/CN=foo.bar.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf '\n[SAN]\nsubjectAltName=DNS:%s,DNS:%s' "foo.bar.com" "anotherdns")) -out foo.bar.com.csr
openssl x509 -req -in foo.bar.com.csr -CA fullbundle.crt -CAkey bar.com.key -CAcreateserial -out foo.bar.com.crt -days 500 -sha256
但是现在,当我验证新的完整链时:
openssl verify -verbose -CAfile fullbundle.crt foo.bar.com.crt
给我:
C = AA, ST = BB, L = CC, O = DD, CN = foo.bar.com
error 20 at 0 depth lookup: unable to get local issuer certificate
error foo.bar.com.crt: verification failed
怎么了?
我发现我无法使用我的通配符签署新证书。用于签名的证书必须具有一些扩展名 (https://serverfault.com/questions/749741/generate-subdomain-certificate-from-valid-wildcard-certificate)。