Managing Your own CA and Issuing a Wildcard Cert

Thu 06 June 2019


It was recently brought to my attention that this problem is probably solved by using certstrap, courtesty of Square. If you're in a hurry, I'd encourage you to go and give that a try first.


I'm leaving the below for posterity and pedagogical use.


Wildcard certs are expensive, especially for home labs. It seems, though, that the Internet is full of how-to's and "works for me!" type solutions. That browser behavior has changed since a lot of those solutions were published only exacerbates the issue.

This is another one of those write-ups.


We should create our own Cert Authority. Then use that CA to create as many internal certs as we need, including a wildcard cert. After all, plenty of organizations run their own internal CA, so we should get familiar with that life cycle. This solution will focus on creating a wildcard cert with multiple subdomains, like you would find in a typical Cloud Foundry deployment.

Create the CA

# Create the CA's key
openssl genrsa -des3 -out

# Create the CA's cert
openssl req -x509 -new -nodes -key -sha256 -days 1825 -out

Answer the questions as needed.

Create a Config for Our Wildcard CSR

I hate creating temporary files but we don't do this very often (yet) so we're going to be lazy this time.

Create your config file, specifying the wildcard domain. Apparently, we no longer use the CN in a certificate to identify servers and, instead, should be using the SAN field. For some light reading on the topic, see this Chrome platform status post and rfc2818 (run a text search for 'common name').

As such, be sure to make use of the SAN field, and get them right.

Our config file for generating our wildcard CSR

distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
C  =  US
ST  =  CA
L  =  Beverly Hills
O  =  Homelab
OU  =  Homelab 
CN  =  *
extendedKeyUsage = serverAuth,clientAuth
subjectAltName = @alt_names
DNS.1 = *
DNS.2 = *
DNS.3 = *
DNS.4 = *
DNS.5 = *
DNS.6 = *
DNS.7 = *

Yes, that's a lot of subdomains. What can I say? We do a lot of work.

Create our CSR

Assuming we named our config file csr-config.conf.

openssl req -new \
-newkey rsa:2048 \
-key \
-nodes \
-out \
-extensions v3_req \
-config csr-config.conf

Create the Config File to Sign the CSR

Apparently also required, as the SANs never made it into the signed cert if I excluded the config file.

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = @alt_names

DNS.1 = *
DNS.2 = *
DNS.3 = *
DNS.4 = *
DNS.5 = *
DNS.6 = *
DNS.7 = *

Sign the CSR With Our CA's Cert

In this case, the config file we just created is named signing-config.conf.

openssl x509 -req \
-in \
-CA \
-CAkey \
-CAcreateserial \
-out \
-days 1825 \
-sha256 \
-extfile signing-config.conf \
-extensions req_ext


Confirm the SAN field has the correct domains, subdomains, and wildcard entries needed.

openssl x509 -text -in

Share and Enjoy

Just import the CA .pem that you created into your browser and you now have your own little CA and your own seamless browser experience. Enjoy!


The Internet is full of articles on the subject. These were particularly useful to me.