Home » Wiki » How to Create CSR for Wildcard SSL with OpenSSL Commands?

How to Create CSR for Wildcard SSL with OpenSSL Commands?

by | SSL Certificate

Create CSR for Wildcard SSL with OpenSSL Commands

OpenSSL Commands to Generate CSR for Wildcard SSL Certificate

Creating a Certificate Signing Request (CSR) for wildcard SSL certificates requires specific OpenSSL commands. The wildcard SSL certificates let you secure multiple subdomains under a single domain name.

This guide explains the steps to generate a CSR file and private key using OpenSSL, which you need for wildcard SSL certificate application. The process involves entering domain details, organization information, and location data.

You will get two important files after running the commands – a private key file and a CSR file. The CSR file contains your domain and company details that Certificate Authorities need to issue your wildcard SSL certificate. The steps are simple and take only a few minutes to complete.

Prerequisites Before Generating CSR for Wildcard SSL

Before generating the CSR, make sure you have the following:

  • OpenSSL installed on your server. This comes pre-installed on most Linux and MacOS versions. For Windows, you can download and install OpenSSL.
  • Access to your server terminal/command line.
  • Ownership and control of the base domain name for which you want a wildcard certificate. For example, if you want *.example.com, it would help if you controlled example.com.
  • Decide on the subdomain you will use to generate the CSR, such as csr.example.com or wildcard.example.com.

6 Easy Steps You Should Follow to Create CSR for Wildcard SSL Certificate Using OpenSSL

  • Create the Private Key
  • Create the CSR Configuration File
  • Generate the CSR
  • Verify the CSR Contents
  • Submit the CSR to a Certificate Authority
  • Install the Wildcard SSL Certificate

Step 1: Create the Private Key

The first step is to create the private key that will be included in the CSR. This is done using the openssl genrsa command.

openssl genrsa -out wildcard.key 2048

This generates a 2048-bit RSA private key and saves it to a file called wildcard.key. You can adjust the key size, but 2048 bits is standard.

Keep this key file very secure, as it proves ownership of the domain.

Step 2: Create the CSR Configuration File

OpenSSL requires a configuration file to generate the CSR, which specifies the details to be included in the certificate.

Create a file called wildcard.csr.cnf and add the following contents:

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[dn]
C=US
ST=RandomState
L=RandomCity
O=RandomOrganization
OU=Information Technology
emailAddress=admin@example.com
CN = *.example.com

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.example.com
DNS.2 = example.com

Replace the values as per your company details and required domain name.

The CN field must contain the wildcard domain name prefixed with an asterisk *.

The subjectAltName extension allows specifying additional domain names besides the common name.

Step 3: Generate the CSR

With the key and config file ready, you can now generate the CSR using the openssl req command. Make sure to be in the same directory as the wildcard.key and wildcard.csr.cnf files.

openssl req -new -key wildcard.key -out wildcard.csr -config wildcard.csr.cnf

This uses the key and CSR options defined to create a new CSR file called wildcard.csr.

Step 4: Verify the CSR Contents

Before submitting the CSR to a CA, you should verify it contains the correct information using:

openssl req -text -noout -in wildcard.csr

This will print out the full details of the CSR in text format.

Check that the public key, subject information, and Subject Alternative Names are all correct. The output should be similar to:

Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: C=US, ST=RandomState, L=RandomCity, O=RandomOrganization, OU=Information Technology, CN=*.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ab:2c:...
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
        Requested Extensions:
            X509v3 Subject Alternative Name: 
                DNS:*.example.com, DNS:example.com
    Signature Algorithm: sha256WithRSAEncryption
         6d:2c:04:...

Step 5: Submit the CSR to a Certificate Authority

Once you have validated the CSR’s content, you can submit it to a Certificate Authority (CA) to obtain the wildcard SSL certificate.

The process varies between CAs but typically involves:

  • Pasting the contents of your wildcard.csr file into an order form on the CA’s website.
  • Providing administrative and technical contact details.
  • Providing documentation to prove you own or control the domain name being certified.
  • Accepting the subscriber agreement.
  • Paying the certificate fees.

The CA will then validate your domain ownership and issue the wildcard SSL certificate. This is provided as a zipped file containing the certificate (.crt), private key, intermediate certificates, and potentially other files.

Save and unzip this certificate package on your server.

Step 6: Install the Wildcard SSL Certificate

To use the newly issued wildcard SSL with your web server, you need to install it properly. The exact steps depend on your server setup:

For Apache:

  • Place the wildcard certificate file (example.com.crt) inside the /etc/ssl/certs directory.
  • Place the private key (example.com.key) inside /etc/ssl/private.
  • Edit the Apache configuration file at /etc/httpd/conf.d/ssl.conf and update the SSLCertificateFile and SSLCertificateKeyFile directives to point to the new wildcard certificate files.
  • Restart Apache: sudo systemctl restart httpd.

The wildcard SSL certificate will now secure all sub-domains for your site.

For Nginx:

  • Place the certificate, key, and intermediate files in the /etc/ssl/certs and /etc/ssl/private directories, respectively.
  • Edit the Nginx configuration file at /etc/nginx/nginx.conf and update the ssl_certificate and ssl_certificate_key directives to reference the new files.
  • Restart Nginx: sudo systemctl restart nginx.

Nginx will now use the wildcard SSL certificate.

For IIS on Windows:

  • Open the IIS Manager and go to the server certificates section.
  • Click “Import Certificate” and select the wildcard SSL certificate file. Provide the password if prompted.
  • Select the imported certificate and click “Bindings” on the right Actions panel.
  • On the Site Bindings window, add a new binding for the wildcard domain and select the newly imported SSL cert from the dropdown.
  • Click “OK” and then restart IIS for the changes to take effect.

What are Some Common OpenSSL CSR Generation Issues

When creating the CSR using OpenSSL, some common errors include:

  • Unable to load config file or key file: Make sure the OpenSSL config file and private key file paths are correct, and the files exist on your system.
  • Missing private key: Your OpenSSL command is missing the -key parameter pointing to the private key.
  • Invalid domain name: The CN or SAN entries contain invalid domain names with incorrect wildcards.
  • Additional domain names not included: If additional domains besides the CN are required, the SAN extension must be specified in the config.
  • CSR and key mismatch: Your CSR was generated using a different private key. Generate both the key and CSR together.
  • SSL routines missing: Your OpenSSL installation needs to be completed. Try reinstalling or updating OpenSSL.
  • Unable to write or create files: Your user account lacks written permission in the directories for the key and CSR files.

How to Revoke a Wildcard SSL Certificate

If your wildcard certificate gets compromised or you no longer want to use it, you will need to revoke it. The process depends on the issuing CA:

  • Public CAs: You can revoke certificates issued by public CAs like Sectigo, DigiCert, GoDaddy, etc., from inside your account dashboard on the CA’s website.
  • Private CAs: For private CAs, you may need to manually add the certificate’s serial number to the CA’s certificate revocation list (CRL).

After revocation, browsers will no longer trust the SSL certificate and will display certificate warnings. To restore a valid SSL/TLS connection, you should generate and install a new certificate.

Final Thoughts

Wildcard SSL certificates provide an easy way to secure unlimited subdomains on your website or web application.

By generating your own Certificate Signing Request using the OpenSSL commands, you can obtain a trusted wildcard SSL certificate from any CA.

Carefully manage the private key used to create the CSR and install the issued certificate properly on your web server.

Following the steps in this guide, you can reliably create CSRs for wildcard SSL certificates using OpenSSL for use on the web server of your choice.

Frequently Asked Questions (FAQs)

What is the difference between a normal SSL certificate and a wildcard certificate?

A regular SSL certificate only secures the exact domain name it is issued for, like www.example.com. A wildcard SSL certificate secures the base domain plus any subdomains prepended with an asterisk, like *.example.com.

Can I use a wildcard certificate on multiple domains?

No, a wildcard certificate only secures subdomains of the base domain specified. You cannot use a *.example.com certificate with subdomains of another domain like example2.com. Separate wildcard certificates must be issued for different base domains.

Do all web servers and clients support wildcard certificates?

All modern web servers, such as Apache, Nginx, and IIS, support wildcard SSL certificates, as do the latest browsers and operating systems. However, some older systems may not be compatible, so check before purchasing a wildcard cert.

How long does it take to issue a wildcard SSL certificate?

Most CAs can issue wildcard SSL certificates within minutes or a few hours after verifying domain ownership and receiving the CSR. If additional vetting is required, it may take up to a few days.

Can I use OpenSSL to generate a wildcard CSR on Windows?

Yes, OpenSSL can be installed and used on Windows to generate wildcard CSRs by following the steps outlined in this guide. Make sure you download and set up the correct binary distribution of OpenSSL for Windows.

Priya Mervana

Priya Mervana

Verified Badge Verified Web Security Experts

Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.