Home > generate-selfsigned-wildcard-ssl-certificate

January 15, 2026

Generate wildcard SSL certificate and use it for HTTPS without annoying browser warnings

I use self-signed certificates to encrypt the traffic to and from all my home server applications, instead of using an external Certificate Authority. I figured out how to generate these certificates and make my browsers trust them on Windows and Iphone. Hereโ€™s how to do it:

Generate CA and self-signed certificate

Step 1

Create the Certificate Authority private key

openssl genrsa -out ca.key 4096

Step 2

Generate the Certificate Authority root certificate

openssl req -x509 -new -nodes \
-key ca.key -subj "/CN=MyCA/C=NL/L=Local" \
-days 1825 -out ca.crt

Change the Common Name (CN), Country (C) and Location (L) in the subj parameter to your own values. The days parameter is set to 1825, so the root certificate is valid for 1825 days, or 5 years, but you can change this to your liking as well.

Step 3

Create the private key for your server

openssl genrsa -out private.key 4096

Step 4

Create the Certificate Signing Request (CSR) and sign with server private key. Use the same -subj parameter as in step 2.

openssl req -new -key private.key -out request.csr \
-subj "/CN=MyCA/C=NL/L=Local"

Step 5

Create the configuration file wildcard.ext for the certificate and CSR

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.server.home
DNS.2 = server.home

Change the DNS.1 and DNS.2 fields to the desired domain of your server. The *.server.home (and specifically the *) makes sure we get a wildcard certificate that will work for all the subdomains of our server domain.

Step 6

Generate SSL certificate

openssl x509 -req -in request.csr -CA ca.crt -CAkey ca.key \
  -CAcreateserial -out wildcard.crt -days 730 \
   -sha256 -extfile wildcard.ext

Now we need three files: wildcard.crt, private.key and ca.crt.
wildcard.crt and private.key are the certificate and key for your server. I use them for my Traefik reverse proxy so all my docker containers are accessible over HTTPS. ca.crt is the root certificate for your certificate authority. We will use this in the next steps to make our devices trust our certificate.

Trust certificate authority on Windows and Iphone

Windows

  • Get the Certificate Authority root certificate from step 2 to your Windows device. I used SCP for this, which is a file transfer protocol that uses SSH.

  • Press Win + r, type mmc and press enter. In the File menu, press Add/Remove Snap-in...

  • Select Certificates in the menu on the left and click Add in the middle of the window. Select for what account to manage certificates, i suggest to pick Computer account. Then click Next, leave the checked option on Local computer and click Finish and then OK in the previously opened window.

  • Expand the Certificates (Local Computer) drop-down list on the left and look for Trusted Root Certification Authorities. There, right-click on Certificates, click All Tasks -> Import... Finally, choose your Certificate Authority root certificate file, in my case ca.crt.

Now the browsers on your Windows machine will not give a self-signed certificate warning when browsing your server with HTTPS.

Iphone

  • Download the certificate on your iphone and open it in the Files app.
  • Open Settings and tap on the Profile Downloaded at the top. Install the profile.
  • Lastly, in Settings, go to General then About, scroll all the way and tap Certificate Trust Settings. Toggle the switch for your certificate

Now your certificate is trusted on Iphone ๐Ÿš€๐Ÿš€. Enjoy the self-made tech.

SSL HTTPS windows iphone SSH