Skip to content

Get a wildcard certificate

Jump to bottom
Oleksandr Porunov edited this page Jul 21, 2018 · 1 revision

This scenario describes step-by-step how to obtain a certificate for the following domains:
example.com, *.example.com.

Notice, that domain *.example.com covers only all subdomains of example.com it doesn't cover the domain example.com itself. That is why we should include the domain example.com in the certificate also (it's not a requirement but a suggestion).

Both common name and alternative name can be used for simple domains and wildcard domains. In this scenario it is suggested to use example.com as a common name and *.example.com as an alternative name.

Requirements:

Our CA is Let's Encrypt (we don't specify a server URL, so PJAC uses the builtin default of Let's Encrypt's production server). Let's Encrypt doesn't allow to use HTTO01 challenge for wildcard certificates that is why we use DNS01 challenge in this scenario.

All files will be saved to /etc/pjac/ and a copy of the default OpenSSL configuration file (openssl.conf) was made in that directory. Also, the subdirectories /etc/pjac/workdir, /etc/pjac/certdir and /etc/pjac/digests were made beforehand.

  1. Generate a CA user account key:

    openssl genrsa -out /etc/pjac/account.key 2048

    ℹ️ We generate a 2048-bit key here. Let’s Encrypt accepts RSA keys from 2048 to 4096 bits in length, and P-256 and P-384 ECDSA keys for both account keys and certificate keys. Note that you can’t reuse an account key as a certificate key.

  2. Generate a private domain key:

    openssl genrsa -out /etc/pjac/example.com.key 2048

  3. Configure OpenSSL to use alternative domain names:
    As we decided above we will use *.example.com as our alternative name.

    You have to specify the alternative domain names in the OpenSSL configuration file for generation of a proper CSR (step 4).
    Edit /etc/pjac/openssl.cnf and set/change the following parameters:

    [ req ]
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.example.com

    Important
    Add only alternative names to the section [alt_names], do not put your main domain (i.e. example.com) in your [alt_names] section.

  4. Generate a Certificate Signing Request (CSR) based on the private domain key:

    openssl req -config /etc/pjac/openssl.cnf -new -key /etc/pjac/example.com.key
  -sha256 -nodes -subj "/C=US/ST=Delaware/L=Wilmington/O=My company
  /OU=IT Department/CN=example.com/[email protected]"
  -outform PEM -out /etc/pjac/example.com.csr

  5. Register your CA user account (notice that we agree to Subscriber Agreement but it is suggested to read it before agreeing):

    java -jar acme_client.jar --command register -a /etc/pjac/account.key 
  --with-agreement-update --email [email protected]

  6. Request a certificate order and download DNS01 challenges:

    java -jar acme_client.jar --command order-certificate -a /etc/pjac/account.key
  -w /etc/pjac/workdir/ -c /etc/pjac/example.com.csr --challenge-type DNS01
  --dns-digests-dir /etc/pjac/digests/

    For each domain name a challenge file is downloaded and saved to the directory /etc/pjac/digests/. In our case there will be created two files example.com_dns_digest and example.com_dns_digest_wildcard (for example.com and *.example.com accordingly).

  7. Go tou your domain provider and make two TXT DNS records under your example.com domain:

    1. First record. Name: _acme-challenge value: <your digest from the file example.com_dns_digest>;
    2. Second record. Name: _acme-challenge value: <your digest from the file example.com_dns_digest_wildcard>.

    Wait till your DNS records are updated and check that your two digests are available to be checked for the domain: _acme-challenge.example.com.

  8. Verify the challenges for our csr:

    java -jar acme_client.jar --command verify-domains -a /etc/pjac/account.key
  -w /etc/pjac/workdir/ -c /etc/pjac/example.com.csr --challenge-type DNS01

    The domains are now authorized.

  9. Generate certificate and download it:

    java -jar acme_client.jar --command generate-certificate -a /etc/pjac/account.key
  -w /etc/pjac/workdir/ --csr /etc/pjac/example.com.csr
  --cert-dir /etc/pjac/certdir/

  10. Done. You should now have the following files in the directory /etc/pjac/certdir/:
    cert.pem,
    chain.pem and
    fullchain.pem

Home

Getting started

Usage

Command reference

Option reference

Example scenarios

Troubleshooting

Clone this wiki locally