create csr for wildcard ssl certificate

How to Create CSR For Wildcard SSL Certificate

Wildcard SSL certificate allow you to secure your website domain as well as subdomains using as single SSL certificate. But every SSL certificate requires a certificate signing request (CSR) for installation. Only when you submit CSR to the certificate authority (CA) and it is authenticated, will you receive the SSL certificate bundle. Generally, people create CSR for single domain or subdomain. But if you need to use wildcard SSL certificate then you will need a CSR for the same. In this article, we will look at how to create CSR for wildcard SSL certificate.


How to Create CSR For Wildcard SSL Certificate

Here are the steps to create CSR for wildcard SSL certificate. We will use OpenSSL to generate CSR for our wildcard certificate. OpenSSL is already installed by default in most Linux distributions and you don’t need to install it separately.


1. Generate CSR for Wildcard certificate

Let us assume you need to create CSR for wildcard domain, that is, *.example.com. In other words, we need a single CSR for all subdomains of example.com.

For this purpose, open terminal and run the following command.

$ sudo openssl req –new –newkey rsa:2048 –nodes –keyout server.key –out server.csr

You will see a bunch of questions with prompts. Enter required information.

  • Common name – Fully qualified domain name of the website you are securing. Since we need wildcard certificate for all subdomains, use asterisk (*) in place of subdomain name *.example.com
  • Organization – Full legal name of your business/company
  • Organization Unit (OU) – If applicable, department such as ‘website security’, or use the company name
  • City or Locality – Name of city or locality where your business is located. Do no abbreviate
  • State or Province – Name of state or province where your organization is located. Do no abbreviate
  • Country – Two-letter ISO code for country where organization is located. Here’s a list of country codes

You will be asked to enter an optional field for passphrase, for additional security. If you do not want to enter passphrase for your SSL certificate then you can leave this field as blank.

That’s it. OpenSSL will generate 2 files:

  1. server.key – private key required for SSL certificate
  2. server.csr – CSR file for SSL certificate

You can view the CSR file in a text editor.

$ sudo vi server.csr

It will look something like

-----BEGIN CERTIFICATE REQUEST-----
...
-----END CERTIFICATE REQUEST-----


2. Install Wildcard SSL Certificate

Once you submit the CSR to your certificate authority (e.g Norton, Symantec, RapidSSL, etc.) you will be able download their SSL certificate bundle, or it will be emailed to you. The bundle will contain at least 2 files – intermediate certificate (RapidSSLCA.crt) and primary certificate (your_domain_name.crt). In our case, primary certificate will be example.com.crt

Copy these files to your server where you have generated CSR file above.

Open Apache configuration file. It will be one of the following locations, depending on your Linux distribution and type of installation.

  • /etc/apache2/httpd.conf
  • /etc/apache2/apache2.conf
  • /etc/httpd/httpd.conf
  • /etc/httpd/conf/httpd.conf
$ sudo vi /etc/apache2/httpd.conf

Look for the block starting with <VirtualHost *:443> that listens to port 443, for SSL/HTTPS connections. Add the following lines to it.

<VirtualHost *:443>

    DocumentRoot /var/www/html

    ServerName *.example.com

        SSLEngine on

        SSLCertificateFile /path/to/example.crt

        SSLCertificateKeyFile /path/to/server.key

        SSLCertificateChainFile /path/to/RapidSSLCA.crt

 </VirtualHost>

Save and close the file. If the above block does not exist in your Apache configuration file, just add it. Update DocumentRoot location with the root location of files for your website.

Restart Apache server.

$ sudo service apache2 restart

That’s it. Now if you open web browser and visit https://www.example.com then you will see https displayed in address bar after the page is loaded. You may also use third-party SSL checkers to check if SSL certificate is installed correctly.

Also read:

How to Remove Unused Kernels from Ubuntu
How to Remove Unused Kernels from RHEL/Fedora/CentOS
How to Install Sublime Text in Linux
HAProxy Load Balancer Configuration in Linux
How to Clone Partition or Hard Disk in Linux

Leave a Reply

Your email address will not be published. Required fields are marked *