I recently purchased a Wildcard SSL certificate because of Black Friday reasons and the cost wasn’t bad for a year >$28/year so I pulled the trigger because I wanted the experience and I was already using Let’s Encrypt which isn’t bad either. Let’s get to it!
You will need to generate a Certificate Signing Request(CSR) and provide this to an SSL vendor to generate various kinds of SSL certificates. I used Ubuntu and went with Namecheap. To create a wildcard certificate using these commands:
First we’ll need to generate the private key and the CSR using these command:
openssl req -newkey rsa:2048 -keyout SITENAME.key -out SITENAME.csr
This will create the two files needed: 1. SITENAME.key and SITENAME.CSR. Now you will need this information for your SSL vendor during the creation of your certificate in my case I used Namecheap which after completing the process I was presented with with a certificate file(.CRT) and a bundle file.
You will need to combine the certificate file and the bundle together with a simple cat command:
cat SITENAME.crt SITENAME_bundle >> SITENAME-bundle.crt
Once the SITENAME-bundle.crt file is created ensure each line of the file has proper BEGIN CERTIFICATE and END CERTIFICATE otherwise you might run into this error: (SSL: error:0908F066:PEM routines:get_header_and_data:bad end line)
I use NGINX as my webserver and since during the creation of my certificate I put a PEM passphrase on my certificate so I have to pass some variables to NGINX so I don’t have to type it in each time nginx is restarted:
- ssl_password_file – Path to the password file, please note to change permissions to 400 on the file.
- ssl_certificate – Path to the bundled certificate file as stated above.
- ssl_certificate_key – This is the path to the certificate key file.
After the variables have went I tested with nginx -t to ensure nothing was wrong and a little nginx reload && nginx restart came back clean it was time to test the to see if the new certificate went live.
Now add the certificate to the rest of the subdomains and everything under your domain will have certificates!
I’m leaving out smaller details such as the Domain Validation (DV) and some prompted questions for the certificate creation which are very minor.