In this short blog post, we will create an OpenSSL request for a wildcard certificate. We are going over the installation, configuration, and request. I am performing the steps on a Windows 11-based machine and requesting the certificate at https://www.xolphin.nl/ an external certificate provider, this can also be an internal certificate provider like Microsoft Active Directory Certificate Services (ADCS).
Leveraging a wildcard certificate can be used for many purposes. This can be an internal or external certificate. On a load balancer or a web server with multiple https services. In my case, I am using it for my Lab environment with a load balancer. I am trying to eliminate the certificate complexity for some simple testing of web applications in Kubernetes.
Environment
My environment for performing this operation is as followed:
- Operating System: Windows 11 X64
- Public internet access: yes
- Permissions on the system: Administrator
Installation of OpenSSL on Windows 11
To install OpenSSL on a Windows 11 machine the easiest way is with the package manager “Choco“. Open a PowerShell command prompt with administrative permissions and run the following command:
# Installation of OpenSSL on your system
choco install openssl
PS C:\windows\system32> choco install openssl
Chocolatey v1.4.0
Installing the following packages:
openssl
By installing, you accept licenses for the packages.
Progress: Downloading vcredist2015 14.0.24215.20170201... 100%
Progress: Downloading vcredist140 14.36.32532... 100%
Progress: Downloading chocolatey-core.extension 1.4.0... 100%
Progress: Downloading chocolatey-compatibility.extension 1.0.0... 100%
Progress: Downloading KB3033929 1.0.5... 100%
Progress: Downloading chocolatey-windowsupdate.extension 1.0.5... 100%
Progress: Downloading KB3035131 1.0.3... 100%
Progress: Downloading KB2919355 1.0.20160915... 100%
Progress: Downloading KB2919442 1.0.20160915... 100%
Progress: Downloading KB2999226 1.0.20181019... 100%
Progress: Downloading openssl 3.1.1... 100%
chocolatey-compatibility.extension v1.0.0 [Approved]
chocolatey-compatibility.extension package files install completed. Performing other installation steps.
Installed/updated chocolatey-compatibility extensions.
The install of chocolatey-compatibility.extension was successful.
Software installed to 'C:\ProgramData\chocolatey\extensions\chocolatey-compatibility'
chocolatey-core.extension v1.4.0 [Approved]
chocolatey-core.extension package files install completed. Performing other installation steps.
Installed/updated chocolatey-core extensions.
The install of chocolatey-core.extension was successful.
Software installed to 'C:\ProgramData\chocolatey\extensions\chocolatey-core'
chocolatey-windowsupdate.extension v1.0.5 [Approved]
chocolatey-windowsupdate.extension package files install completed. Performing other installation steps.
Installed/updated chocolatey-windowsupdate extensions.
The install of chocolatey-windowsupdate.extension was successful.
Software installed to 'C:\ProgramData\chocolatey\extensions\chocolatey-windowsupdate'
KB3035131 v1.0.3 [Approved]
kb3035131 package files install completed. Performing other installation steps.
The package KB3035131 wants to run 'ChocolateyInstall.ps1'.
Note: If you don't run this script, the installation will fail.
Note: To confirm automatically next time, use '-y' or consider:
choco feature enable -n allowGlobalConfirmation
Do you want to run the script?([Y]es/[A]ll - yes to all/[N]o/[P]rint): A
Skipping installation because update KB3035131 does not apply to this operating system (Microsoft Windows 11 Pro).
The install of kb3035131 was successful.
Software install location not explicitly set, it could be in package or
default install location of installer.
KB3033929 v1.0.5 [Approved]
kb3033929 package files install completed. Performing other installation steps.
Skipping installation because update KB3033929 does not apply to this operating system (Microsoft Windows 11 Pro).
The install of kb3033929 was successful.
Software install location not explicitly set, it could be in package or
default install location of installer.
KB2919442 v1.0.20160915 [Approved]
kb2919442 package files install completed. Performing other installation steps.
Skipping installation because this hotfix only applies to Windows 8.1 and Windows Server 2012 R2.
The install of kb2919442 was successful.
Software install location not explicitly set, it could be in package or
default install location of installer.
KB2919355 v1.0.20160915 [Approved]
kb2919355 package files install completed. Performing other installation steps.
Skipping installation because this hotfix only applies to Windows 8.1 and Windows Server 2012 R2.
The install of kb2919355 was successful.
Software install location not explicitly set, it could be in package or
default install location of installer.
KB2999226 v1.0.20181019 [Approved] - Possibly broken
kb2999226 package files install completed. Performing other installation steps.
Skipping installation because update KB2999226 does not apply to this operating system (Microsoft Windows 11 Pro).
The install of kb2999226 was successful.
Software install location not explicitly set, it could be in package or
default install location of installer.
vcredist140 v14.36.32532 [Approved]
vcredist140 package files install completed. Performing other installation steps.
Runtime for architecture x86 version 14.36.32532 is already installed.
Runtime for architecture x64 version 14.36.32532 is already installed.
The install of vcredist140 was successful.
Software install location not explicitly set, it could be in package or
default install location of installer.
vcredist2015 v14.0.24215.20170201 [Approved]
vcredist2015 package files install completed. Performing other installation steps.
The install of vcredist2015 was successful.
Software installed to 'C:\ProgramData\chocolatey\lib\vcredist2015'
openssl v3.1.1 [Approved]
openssl package files install completed. Performing other installation steps.
Installing 64-bit openssl...
openssl has been installed.
WARNING: No registry key found based on 'OpenSSL-Win'
PATH environment variable does not have C:\Program Files\OpenSSL-Win64\bin in it. Adding...
WARNING: OPENSSL_CONF has been set to C:\Program Files\OpenSSL-Win64\bin\openssl.cfg
openssl can be automatically uninstalled.
Environment Vars (like PATH) have changed. Close/reopen your shell to
see the changes (or in powershell/cmd.exe just type `refreshenv`).
The install of openssl was successful.
Software installed to 'C:\Program Files\OpenSSL-Win64\'
Chocolatey installed 11/11 packages.
See the log for details (C:\ProgramData\chocolatey\logs\chocolatey.log).
Installed:
- kb3033929 v1.0.5
- chocolatey-windowsupdate.extension v1.0.5
- vcredist140 v14.36.32532
- kb2999226 v1.0.20181019
- kb2919355 v1.0.20160915
- chocolatey-core.extension v1.4.0
- kb2919442 v1.0.20160915
- vcredist2015 v14.0.24215.20170201
- chocolatey-compatibility.extension v1.0.0
- openssl v3.1.1
- kb3035131 v1.0.3
PS C:\windows\system32>
Configuration OpenSSL on Windows 11
To create a certificate you need to tell OpenSSL what to generate. So we create a configuration file for OpenSSL that specifies what type of certificate should be generated.
Create the following configuration file called “config.cfg“. This is the configuration file that will be used by OpenSSL when running the command listed below. Make sure you change your domain name and information in the configuration file.
[ req ]
default_bits = %In most cased: 2048 or 4094%
default_keyfile = %key file name%
default_md = sha512
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
[ req_distinguished_name ]
commonName = %Certificate address > your wildcard%
countryName = %Company country code%
emailAddress = %Administrator/IT email%
localityName = %Company location%
organizationName = %Company name%
organizationalUnitName = %Company department%
stateOrProvinceName = %Company location province%
[ req ]
default_bits = 4096
default_keyfile = wildcard.domain.com.key
default_md = sha512
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
[ req_distinguished_name ]
commonName = *.domain.com
countryName = NL
emailAddress = admin@domain.com
localityName = Amsterdam
organizationName = Domain B.V.
organizationalUnitName = IT
stateOrProvinceName = Noord-Holland
OpenSSL Creating Wildcard Certificate Request
Now it is time for generating the certificate request that can be delivered to your certificate provider. This can be done by running the following command in an elevated PowerShell command-prompt.
# Set the path variable
$path = "c:\Users\$Env:UserName\Desktop\cert"
# Create directory
mkdir $path
# Copy the config.cfg into the $path location (manually)
# Create the certificate request
openssl req -new -nodes -out "$path\wildcard.domain.com.csr" -config "$path\config.cfg" -keyout "$path\wildcard.domain.com.key"
# After running the commands, you will end up with three files in the $path location
- config.cfg
- wildcard.domain.com.csr
- wildcard.domain.com.key
Signing the request
Go to your certificate provider website and upload the “wildcard.domain.com.csr” file. You should receive the wildcard certificate in a couple of minutes/hours depending on the certificate provider.
Wrap up
So this is my blog post about creating a wildcard certificate with OpenSSL. Hopefully, it is useful for somebody, please respond below if you have any comments or additional information! See you next time! 🙂