问题
So, I have a wildcard certificate which is signed by a respectable CA that all browsers recognize (Equifax). This certificate is valid for *.mydomain.com and works well.
Now, what I would like to do is use this cert to sign a certificate for a subdomain like something.mydomain.com -- I don't want to use my main (wildcard) certificate for this sublocation for security reasons.
Here is a diagram of the certificate chain I am looking to achieve :
Equifax CA ==1==> *.mydomain.com ==2==> something.mydomain.com
I am looking to do arrow #2, as well as configure lighttpd correctly with the resulting cert.
I have managed to generate a certificate using OpenSSL, and given lighty a ca-crt file with both the wildcard and CA certs. However this fails to validate in my browser (it does not seem to see the chain). 'openssl s_client' sees only 2 certs in the chain (from mydomain.com) but does not include the root CA cert...
Am I doing something wrong? (Is this even possible?) Any pointers much appreciated :]
回答1:
You cannot do this. Only certificates that are specifically marked as CA certificates can sign other certificates (and then they can sign any other certificates, so those aren't handed out lightly).
It is a bit of a pity - the ability to have "domain-limited CA" certificates would be nice.
来源:https://stackoverflow.com/questions/7919330/generate-child-certificate-from-ca-issued-http-cert