This guide explains how to create a self-signed wildcard SSL certificate for internal use. A wildcard SSL certificate allows you to secure a domain and all its subdomains with a single certificate. These certificates are ideal for development, staging, and internal systems where a trusted Certificate Authority (CA) is not required.
These commands are compatible with OpenSSL 1.1.1 and above, typically found on Ubuntu, Debian, CentOS, RHEL, Rocky Linux, and AlmaLinux.
Table of Contents
Method 1: Create a Self-Signed Wildcard SSL with SAN Support
Modern browsers and servers require Subject Alternative Name (SAN) fields. This method ensures maximum compatibility.
- Create an OpenSSL Configuration File
Create a file named san.cnf:[ req ] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [ dn ] C = US ST = State L = City O = Company OU = IT CN = *.example.com [ req_ext ] subjectAltName = @alt_names [ alt_names ] DNS.1 = *.example.com DNS.2 = example.com
Replace fields as required and update the domain name.
- Generate Private Key and CSR
openssl req -new -nodes -out wildcard.csr -keyout wildcard.key -config san.cnf
- Create the Self-Signed Certificate:
openssl x509 -req -days 365 -in wildcard.csr -signkey wildcard.key \ -extfile san.cnf -extensions req_ext -out wildcard.crt
- This generates:
Method 2: Quick Inline Command (Legacy, No SAN)
- If you want to generate a wildcard CSR and key using a single inline command (older approach), use:
openssl req -newkey rsa:2048 -nodes -keyout wildcard.key -out wildcard.csr \ -subj “/C=US/ST=State/L=City/O=Company/OU=IT/CN=*.example.com”
- Then create the self-signed certificate:
openssl x509 -req -days 365 -in wildcard.csr -signkey wildcard.key -out wildcard.crt
Note: This method does not include SAN and may trigger warnings in modern browsers and applications.
Installing the SSL Certificate
- Apache Example
Add the following to your SSL VirtualHost:SSLEngine on SSLCertificateFile /path/to/wildcard.crt SSLCertificateKeyFile /path/to/wildcard.key
- Restart Apache:
systemctl restart apache2
- Nginx Example
Add to your server block:ssl_certificate /path/to/wildcard.crt; ssl_certificate_key /path/to/wildcard.key;
- Restart Nginx:
systemctl restart nginx
Optional: Generate PFX File (For Windows/IIS)
openssl pkcs12 -export -out wildcard.pfx -inkey wildcard.key -in wildcard.crt
Important Notes
- Web browsers refuse to accept self-signed wildcard SSL certificates and show a warning.
- One level of subdomains, such as site.example.com, is covered by wildcard certificates, but not a.b.example.com.
- For production use, always obtain certificates from a trusted Certificate Authority (CA).
Creating a self-signed wildcard SSL certificate is a fast and free way to secure many subdomains while you are developing or testing a website. But, for live/production websites, you should always use an SSL certificate issued by a trusted Certificate Authority (CA).
A Windows VPS Hosting solution provides administrator access and the flexibility needed to manage SSL certificates, IIS settings and secure business websites.
Need full SSL control? Learn How to manage service SSL certificates in WHM