Generating and Installing Wildcard and Multi-Domain SSL Certificates

Generate a CSR (Cert Signing Request) For a Wildcard Domain

Normally, to generate a certificate for a wildcard domain such as *.example.com, all you have to do (when generating the CSR) is specify in the “Common Name” field:
*.example.com

The problem is that that:

  1. This will only wildcard 1 sub-domain level (i.e., it will not work for www.subdomain.example.com, https://www.subdomain.example.com).
  2. And it will not cover the root domain (i.e., “example.com”, https://example.com).

To cover additional domains and wildcards, you have to use openssl’s SAN (subjectAltName) extension

1. Edit file openssl.cnf (open via Notepad) –
File C:\WampDeveloper\Config\Apache\openssl.cnf

2. Uncomment (remove starting ‘#’) line:
# req_extensions = v3_req # The extensions to add to a certificate request

req_extensions = v3_req # The extensions to add to a certificate request

3. Update the “[ v3_req ]” section with line:
subjectAltName = @alt_names

[ v3_req ]

# Extensions to add to a certificate request

basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

4. Create file named “alt-names.txt” and place the entire list of all domains and wildcards into it (including the previously entered “Common Name”):

[ alt_names ]
DNS.1 = www.example.com
DNS.2 = example.com
DNS.3 = *.example.com
DNS.4 = *.*.example.com

Note that entry “*.*.example.com” wildcards on multiple level sub-domains. This entry might, or might not work, depending on how different Browsers decide to handle this and if the CA (Certificate Authority) allows this.

5. Follow the exact instruction on generating a CSR, except make sure to add the “alt-names.txt” file into the CSR generation command…

openssl genrsa -out example_com.key 2048
openssl req -new -sha256 -key example_com.key -out example_com.csr -config C:\WampDeveloper\Config\Apache\openssl.cnf

The first line generates your private key. The next line generates the CSR, using the additional entries from the alt-names.txt file. At this point you can either input the contents of CSR file into the CA’s certificate purchasing process, or self-sign the cert…

Self-Signing a CSR (Certificate Signing Request) For a Wildcard Domain

If you are going to self-sign this certificate, you will need to tell the CA configuration to allow and use the SAN extension, by uncommenting in file openssl.cnf, line:
# copy_extensions = copy

[ CA_default ]
# Extension copying option: use with caution.
copy_extensions = copy

Then create the self-signed wildcard certificate the exact same way as in all other cases:

openssl x509 -req -sha256 -days 365 -in example_com.csr -signkey example_com.key -out example_com.crt -extfile C:\WampDeveloper\Config\Apache\alt-names.txt

Installing Wildcard and Multi-Domain Certificates

There is no difference between how Apache (nor any other web-server such as IIS, Nginx, Tomcat) treats normal and wildcard certs.

You would install the certificates the regular way, with a separate update to each website’s SSL VirtualHost file, on the location/path to the: cert, bundle file (if exists), and private key (all of which can point to the same locations for each website, or can be duplicated into each websites’ certs\ folder)…

For example see Installing Comodo PositiveSSL Certificate Bundled with Root and Intermediate CA Certificates on Apache.

Note that if you self-signed the certificate:

  1. There will be no bundle file (don’t use “SSLCertificateChainFile” directive).
  2. And if you want your local OS and Browser to actually accept and pass this certificate (without blocking website access as “untrusted”), you are going to have to install it into Windows Trusted Root Certification Authorities store. *Some Browsers do not use this store and have their own “trust exception” process.

3 thoughts on “Generating and Installing Wildcard and Multi-Domain SSL Certificates”

    1. The “-extfile” directive was in the wrong command…

      Instead of it being used in openssl req -new ..., it is used in openssl x509 -req ....

      Thanks for pointing out the error. The post has been corrected.

      edit: There might be something more going on as I can’t get the V3 extension data to show up in the cert. Will have to look into this a bit more.

  1. Hi, thanks for this post.

    I have a question on multi-level-wildcard like *.*.example.com, do you know if it is recognised by the “Windows Trusted Root Certification Authorities store” ?

    I have no issues with one level wildcard but the *.* seems to not be understood.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>