Generating and Installing Wildcard and Multi-Domain SSL Certificates<\/p>\n
Generate a CSR (Cert Signing Request) For a Wildcard Domain<\/p>\n
Normally, to generate a certificate for a wildcard domain such as *.example.com, all you have to do (when generating the CSR) is specify in the \u201cCommon Name\u201d field:
\n*.example.com<\/p>\n
The problem is that that:<\/p>\n
This will only wildcard 1 sub-domain level (i.e., it will not work for www.subdomain.example.com, https:\/\/www.subdomain.example.com).
\nAnd it will not cover the root domain (i.e., \u201cexample.com\u201d, https:\/\/example.com).
\nTo cover additional domains and wildcards, you have to use openssl\u2019s SAN (subjectAltName) extension\u2026<\/p>\n
1. Edit file openssl.cnf (open via Notepad) \u2013
\nFile C:\\WampDeveloper\\Config\\Apache\\openssl.cnf<\/p>\n
2. Uncomment (remove starting \u2018#\u2019) line:
\n# req_extensions = v3_req # The extensions to add to a certificate request<\/p>\n
req_extensions = v3_req # The extensions to add to a certificate request
\n3. Update the \u201c[ v3_req ]\u201d section with line:
\nsubjectAltName = @alt_names<\/p>\n
[ v3_req ]<\/p>\n
# Extensions to add to a certificate request<\/p>\n
basicConstraints = CA:FALSE
\nkeyUsage = nonRepudiation, digitalSignature, keyEncipherment
\nsubjectAltName = @alt_names
\n4. Create file named \u201calt-names.txt\u201d and place the entire list of all domains and wildcards into it (including the previously entered \u201cCommon Name\u201d):<\/p>\n
[ alt_names ]
\nDNS.1 = www.example.com
\nDNS.2 = example.com
\nDNS.3 = *.example.com
\nDNS.4 = *.*.example.com
\nNote that entry \u201c*.*.example.com\u201d wildcards on multiple level sub-domains. This entry might, or might not work, depending on how different Browsers decide to handle this and if the CA (Certificate Authority) allows this.<\/p>\n
5. Follow the exact instruction on generating a CSR, except make sure to add the \u201calt-names.txt\u201d file into the CSR generation command\u2026<\/p>\n
openssl genrsa -out example_com.key 2048
\nopenssl req -new -sha256 -key example_com.key -out example_com.csr -config C:\\WampDeveloper\\Config\\Apache\\openssl.cnf
\nThe first line generates your private key. The next line generates the CSR, using the additional entries from the alt-names.txt file. At this point you can either input the contents of CSR file into the CA\u2019s certificate purchasing process, or self-sign the cert\u2026<\/p>\n
Self-Signing a CSR (Certificate Signing Request) For a Wildcard Domain<\/p>\n
If you are going to self-sign this certificate, you will need to tell the CA configuration to allow and use the SAN extension, by uncommenting in file openssl.cnf, line:
\n# copy_extensions = copy<\/p>\n
[ CA_default ]
\n# Extension copying option: use with caution.
\ncopy_extensions = copy
\nThen create the self-signed wildcard certificate the exact same way as in all other cases:<\/p>\n
openssl x509 -req -sha256 -days 365 -in example_com.csr -signkey example_com.key -out example_com.crt -extfile C:\\WampDeveloper\\Config\\Apache\\alt-names.txt
\nInstalling Wildcard and Multi-Domain Certificates<\/p>\n
There is no difference between how Apache (nor any other web-server such as IIS, Nginx, Tomcat) treats normal and wildcard certs.<\/p>\n
You would install the certificates the regular way, with a separate update to each website\u2019s SSL VirtualHost file, on the location\/path to the: cert, bundle file (if exists), and private key (all of which can point to the same locations for each website, or can be duplicated into each websites\u2019 certs\\ folder)\u2026<\/p>\n
For example see Installing Comodo PositiveSSL Certificate Bundled with Root and Intermediate CA Certificates on Apache.<\/p>\n
Note that if you self-signed the certificate:<\/p>\n
There will be no bundle file (don\u2019t use \u201cSSLCertificateChainFile\u201d directive).
\nAnd if you want your local OS and Browser to actually accept and pass this certificate (without blocking website access as \u201cuntrusted\u201d), you are going to have to install it into Windows Trusted Root Certification Authorities store. *Some Browsers do not use this store and have their own \u201ctrust exception\u201d process.<\/p>\n","protected":false},"excerpt":{"rendered":"
Generating and Installing Wildcard and Multi-Domain SSL Certificates<\/p>\n
Generate a CSR (Cert Signing Request) For a Wildcard Domain<\/p>\n
Normally, to generate a certificate for a wildcard domain such as *.example.com, all you have to do (when generating the CSR) is specify in the \u201cCommon Name\u201d field: *.example.com<\/p>\n
The problem is that that:<\/p>\n
This will only […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6772"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6772"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6772\/revisions"}],"predecessor-version":[{"id":6773,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6772\/revisions\/6773"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6772"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6772"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6772"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}