This tutorial will show how to create an SSL wildcard certificate for Apache, how to install it and how to use it on multiple sites on the same physical server using SSL virtualhosts. In this tutorial I will request and install an AlphaSSL certificate for the website www.file1.info. I used parts of the instructions found on AlphaSSL.com, although I found out these are not entirely correct. This tutorial is probably not for beginners.

Generating the request for the certificate
After ordering a wildcard certificate you are required to provide a certificate signing request. This is done by creating a private key and a certificate signing request. The first command creates the private key which should remain on the server; it is not needed to provide this to anyone. The second command creates a certificate signing request which should be sent to the website where you bought the certificate.

All fields in the certificate signing request can be left to their defaults, or changed as you like, except the common name. Set this to *.file1.info so we create a wildcard certificate.

Although AlphaSSL has a tutorial where they create a 1024 bit key, only 2048 bit keys are accepted. Also, the order of the openssl commands is wrong on the AlphaSSL website.

The private key can be protected with a password, but this is not required. A password can always be removed from a private key later (even after the certificate is installed and used).

If the private key has a password, it is required to enter this every time Apache is (re)started, or a custom program should be developed for automtically feeding it to Apache, see the docs for details about SSLPassPhraseDialog.

Remember, enter the correct common name with an asterisk: *.file1.info

Creating the private key, choose a password, write it down and don't forget it!
Code:
$ openssl genrsa -out file1.info.key -des3 2048
Generating RSA private key, 2048 bit long modulus
..............................................................................+++
.....+++
e is 65537 (0x10001)
Enter pass phrase for file1.info.key:
Verifying - Enter pass phrase for file1.info.key:
Creating the certificate signing request
Remember, to use *.file1.info for wildcard certificates! The values you entered can not be changed after you receive the certificate, but other than the common name they don't really matter.
Code:
$ openssl req -out file1.info.csr -new -key file1.info.key
Enter pass phrase for file1.info.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:*.file1.info
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Most vendors don't support you entering a challenge password, so leave this blank. The resulting csr file should probably be entered in a webform, depending on your vendor. After that you will receive the requested certificates, often send by email.

Optional: remove a password from the private key file
If you used a password on the private key, you are required to enter it every time Apache (re)starts. Although this adds some safety it can be irritating. You can remove it by using the following command:
Code:
openssl rsa -in file1.info.key -out file1.info.key.nopass
Installing the certificates
Although I try to keep this tutorial as generic as possible, not every SSL certificate comes with a root and an intermediate key. If your SSL provider has an intermediate certificate and a root certificate, you can create an authority file containing the root and the intermediate certificate in this exact format:
Code:
-----BEGIN CERTIFICATE-----
GlobalSign Root CA Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
AlphaSSL intermediate Certificate
-----END CERTIFICATE-----
In the end you will have three certificate files, ready for installation in Apache. Install the certificates in the locations you see here. The private key never left your system, the crt file is returned after you send in the crs file and ca bundle is created from the intermediate and root certificate found on your vendors' website.
Code:
/etc/ssl/private/file1.info.private.key
/etc/ssl/certs/file1.info.crt
/etc/ssl/certs/file1.info.ca-bundle
Using a wildcard certificate to use multiple hostnames on a single IP and still use SSL for every subdomain

This is the hardest part, and some people think it's impossible. This is because Apache (or better because of SSL limitations) does not support multiple SSL certificates for a single IP. This is because the hostname (e.g. file1.info or mail.file1.info)
is not send by the client when setting up the initial SSL connection. Therefore, Apache does not now where to route the SSL request.
This is not a problem with wildcard SSL certificates because all hostnames/domains use the same SSL certificate.
To support this configuration add "NameVirtualHost *:443" to the file /etc/apache2/ports.conf, so it looks like this. You can ignore the comment in the configuration file, saying what we're about to do is impossible.
Code:
<IfModule mod_ssl.c>
# SSL name based virtual hosts are not yet supported, therefore no
# NameVirtualHost statement here
NameVirtualHost *:443
Listen 443
</IfModule>
Of course this only works for wildcard certificates. Now configure VirtualHosts on port 443, just like regular port 80 VirtualHosts. This is my Apache configuration file for the SSL website:
Code:
<VirtualHost *:443>
  DocumentRoot /var/www/file1
  ServerName   *.file1.info
  ServerAlias  file1.info
  ServerAlias  www.file1.info

  ErrorLog /var/log/apache2/error.log
  CustomLog /var/log/apache2/access.log combined

  Options -Indexes

  SSLEngine on
  SSLCertificateKeyFile /etc/ssl/private/file1.info.private.key
  SSLCertificateFile /etc/ssl/certs/file1.info.crt
  SSLCertificateChainFile /etc/ssl/certs/file1.info.ca-bundle
</VirtualHost>
Now say a prair and restart apache... SSL should work. But remember, there should be no warnings when Apache is started! There should only be a warning in the logfile, like:
Code:
 Init: You should not use name-based virtual hosts in conjunction with SSL!!
It's perfectly safe to ignore this warning when using wildcard certificates. You can find some interesting discussion about developers arguing to remove this warning message if you search around the web.