A wildcard certificate costs more than an single fully qualified domain name, but it lets me secure any FQDN under my main domain.
The basics steps are:
1: Generate a Key
2: Generate a CSR (Certificate Signing Request)
3: Send that the vendor and give them some money
4: Receive an SSL Certificate back via email
5: Paste that into a file on your host
6: Restart Apache and verify operation
In Detail, here are my specific steps:
1: Start the new or renewal certificate process on the vendor's web site
2: Create a SSL Key
You should only need to do this once and then you can reuse it multiple times.
Create a directory in which to create and save your SSL files. For the purposes of this tutorial I'm using 'example.com as the domain. You can put the key into any file but give it one that makes sense, i.e. example.com.key
If you want to protect the key with a passphrase then add the -des3 option to the command. If you do then you need to enter the passphrase whenever your server starts up. if you do NOT then set the permissions on your files correctly (see below).
# openssl genrsa 1024 > example.com.key
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
3: Create a CSR (Certificate Signing Request)
This process will ask you several questions, of which the MOST IMPORTANT is the COMMON NAME. This the Domain Name that you want the certificate for. For a single domain this might be www.example.com. For a Wildcard certificate use an asterisk in the name like *.example.com.
The prompt from the openssl program is unclear when it asks for YOUR name - it wants the domain name. Clear on that, right?
It also asks for a challenge password - with rapidssl.com this wasn't used, so don't worry about it. Enter the other info as appropriate for your organization.
# openssl req -new -key ./example.com.key > example.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Washington
Locality Name (eg, city) :Seattle
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Craic Computing LLC
Organizational Unit Name (eg, section) :
Common Name (eg, YOUR name) :*.example.com
Email Address :firstname.lastname@example.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password :
An optional company name :
4: Send the CSR to your Vendor
Cut and paste the contents of the file in full into the Vendor's web form. With rapidssl.com there is a phone verification process that you have to go through after they receive it. Basically an automated call comes through and you have to enter a confirmation code that they put on their web site. Plus you need to do the whole credit card and contact information thing on their site. It all ends with several emails back from them, one of which includes the Certificate.
5: Paste the certificate into a file on your host
Once again, choose an appropriate name, e.g. example.com.crt
Verify the contents of the certificate file with:
You will see all sorts of information.
# openssl x509 -text -in example.com.crt
6: CHANGE THE FILE PERMISSIONS - CHANGE THEM NOW!
# chmod 400 example.com.key
# chmod a-w example.com.crt
7: Setup Apache2
Modify your configuration files so that Apache knows where to find the certificate. In my case I'm using something like this:
You can put the certificate and key in any files you want, you just need to tell Apache where they. Your Apache configuration might be different from this.
8: Test it out
Go to the site in your browser. You should see a lock icon. Click on that and view the certificate details. It should all be good.
9: COPY THE KEY AND CERTIFICATE FILES TO A BACKUP MACHINE - COPY THEM NOW!