Tutorial: wildcard domain SSL/TLS certificates

Subject alternate domain (a.k.a. wildcard) TLS certificates are an efficient way to protect multiple domains without having to purchase multiple certificates.  Unfortunately, I had to dig quite a bit to figure out how to generate/update one using OpenSSL:

Generate a new key and cert:

Download myconfig.cnf and configure lines 127-150 and 224-230, install OpenSSL and then run:

openssl req -new -newkey rsa:4096 -keyout myprivate.key -nodes -extensions v3_req -config myconfig.cnf -out mycert.csr



Update cert (using an existing key):

openssl req -new -key myprivate.key -config myconfig_updated.cnf -out mycert_updated.csr


P.S. The wildcard domain is only single level (e.g. you can't do *.*.example.com)

P.P.S. If you set up your config file with your desired defaults, you can avoid hitting Enter for each prompt by including -batch in your openssl commands above.