Chaining x.509 certificates

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

I'm fairly new to x.509 certificates, etc.  Please forgive a novice

I work for a software development organization.  We've used a Verisign
x.509 certificate (via keytool and jarsigner) to sign our jars before
they get shipped to customers for a few years.  Now we're going to be
shipping a new product enhancement that uses https for security.

It looks like, with https, our customer will need their own x.509
certificate.  They can, of course generate their own self-signed
certificate, or get one from Verisign, et al.

I'm wondering if there is a third option.  For us to create a
sub-certificate off of our current one.

After digging through keytool and a whole pile of stuff on Google for a
day (and barely scratching the surface), I still have not figured out
the magical step of chaining a x.509 certificate.  Keytool refers to
importing a chained certificate from the CA, but nothing about how the
CA creates it.

I suppose, if it were easy, Verisign would quickly go out of business

Any suggestions or references would be greatly appreciated.

Site Timeline