Generate a CSR (Cert Signing Request) For a Wildcard Domain
Normally, to generate a certificate for a wildcard domain such as *.example.com, all you have to do (when generating the CSR) is specify in the “Common Name” field:
The problem is that that:
- This will only wildcard 1 sub-domain level (i.e., it will not work for www.subdomain.example.com, https://www.subdomain.example.com).
- And it will not cover the root domain (i.e., “example.com”, https://example.com).
To cover additional domains and wildcards, you have to use openssl’s SAN (subjectAltName) extension…
1. Edit file openssl.cnf (open via Notepad) –
2. Uncomment (remove starting ‘#’) line:
# req_extensions = v3_req # The extensions to add to a certificate request
req_extensions = v3_req # The extensions to add to a certificate request
3. Update the “[ v3_req ]” section with line:
subjectAltName = @alt_names
[ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names
4. Create file named “alt-names.txt” and place the entire list of all domains and wildcards into it (including the previously entered “Common Name”):
[ alt_names ] DNS.1 = www.example.com DNS.2 = example.com DNS.3 = *.example.com DNS.4 = *.*.example.com
Note that entry “
*.*.example.com” wildcards on multiple level sub-domains. This entry might, or might not work, depending on how different Browsers decide to handle this and if the CA (Certificate Authority) allows this.
5. Follow the exact instruction on generating a CSR, except make sure to add the “alt-names.txt” file into the CSR generation command…
openssl genrsa -out example_com.key 2048 openssl req -new -sha256 -key example_com.key -out example_com.csr -config C:\WampDeveloper\Config\Apache\openssl.cnf
The first line generates your private key. The next line generates the CSR, using the additional entries from the alt-names.txt file. At this point you can either input the contents of CSR file into the CA’s certificate purchasing process, or self-sign the cert…
Self-Signing a CSR (Certificate Signing Request) For a Wildcard Domain
If you are going to self-sign this certificate, you will need to tell the CA configuration to allow and use the SAN extension, by uncommenting in file openssl.cnf, line:
# copy_extensions = copy
[ CA_default ] # Extension copying option: use with caution. copy_extensions = copy
Then create the self-signed wildcard certificate the exact same way as in all other cases:
openssl x509 -req -sha256 -days 365 -in example_com.csr -signkey example_com.key -out example_com.crt -extfile C:\WampDeveloper\Config\Apache\alt-names.txt
Installing Wildcard and Multi-Domain Certificates
There is no difference between how Apache (nor any other web-server such as IIS, Nginx, Tomcat) treats normal and wildcard certs.
You would install the certificates the regular way, with a separate update to each website’s SSL VirtualHost file, on the location/path to the: cert, bundle file (if exists), and private key (all of which can point to the same locations for each website, or can be duplicated into each websites’ certs\ folder)…
Note that if you self-signed the certificate:
- There will be no bundle file (don’t use “
- And if you want your local OS and Browser to actually accept and pass this certificate (without blocking website access as “untrusted”), you are going to have to install it into Windows Trusted Root Certification Authorities store. *Some Browsers do not use this store and have their own “trust exception” process.