I have created a letscrypt.org certificate using letsencrypt run
which works fine as a SSL certificate on apache2
. How can I create another server certificate signed (and thus trusted) by the letsencrypt.org certificate?
I tried to create a CSR with
openssl req -new -key file.key -out file.csr
which I assume I can sign with
openssl x509 -extensions server_cert -req -in file.csr -CA /etc/letsencrypt/live/[domain name]/fullchain.pem -CAkey /etc/letsencrypt/live/[domain name]/privkey.pem -CAcreateserial -out file.pem -days 500 -sha256
The result is the SEC_ERROR_INADEQUATE_KEY_USAGE
in firefox
47.0 on Ubuntu 16.04.
I assume the resulting certificate is trusted like the letsencrypt.org certificate is since the chain of trust shouldn't be broken. The to be created certificate is unnecessary. I want to create it for the purpose of learning in case this question doesn't reveal I'm requesting something impossible.