RapidSSL is a brand of Symantec. RapidSSL are Domain Validation (DV) identity certificates. I went for a standard (non-wildcard) RapidSSL from
GoGetSSL. On default, my certificate chained up to
GeoTrust Global CA. If you use its cross-signing certificate, it even chains up to
Equifax Secure Certificate Authority. Both matched the factory installed trust anchors in my Yealink W56P. It worked as you expect it.
Alternatively, in the GeoTrust web interface, you can change the certificate to chain to the SHA-2 root, creating a SHA-2 only chain. That chains up to
GeoTrust Primary Certification Authority - G3. I did not test, whether that works. According that published list, it does not work. Therefore, if you need a SHA-2-only chain, I recommend to have a look at the
Thawte SSL123.
However, I am not sure if it helps, because you are about wildcard certificate specifically. I did not go for a wildcard certificate because that feature is not implemented and/or authors interpret
IETF RFC 5922 section 7.2 that this is not allowed for SIP over TLS at all. I know, your question was not about SIP, but I guess you want to reuse that certificate for SIP. Furthermore, I make sure my domain name is within the ‘Common Name’ and first within the ‘SAN’, because to many VoIP/SIP implementations do not support SAN or go just for the first SAN.
Actually, the factory-installed list of certificates contains deprecated, never used, and even not usable TLS certificate authorities. You can go only for Deutsche Telekom, DigiCert, and Symantec. Of those, only Symantec is selling those cheaper DV certificates. For those, Symantec uses its brands Thawte, GeoTrust, and RapidSSL. Of those, RapidSSL are the cheapest. Or stated differently: I am not aware of any alternative to a RapidSSL Wildcard certificate. If that does not work, I guess, wildcards are not supported in general.
Were you able to test it in the meantime?