When managing infrastructure with multiple subdomains, security-conscious administrators often face this dilemma: how to deploy SSL certificates to remote servers without unnecessarily exposing the primary wildcard private key. The ideal solution would allow deriving subdomain-specific certificates from the main wildcard certificate.
While certificate chains allow verification through parent certificates, the actual generation of new certificates requires either:
- Certificate Authority reissuance (traditional approach)
- Using the original private key to create derivative certificates (our focus)
Here's how to create a subdomain certificate for app1.example.com when you possess *.example.com wildcard cert:
# Extract the private key (if not already separate)
openssl rsa -in wildcard.key -out app1.key
# Create CSR for specific subdomain
openssl req -new -key app1.key -subj "/CN=app1.example.com" -out app1.csr
# Generate the certificate using existing wildcard cert
openssl x509 -req -in app1.csr -CA wildcard.crt -CAkey wildcard.key \
-CAcreateserial -out app1.crt -days 365 -sha256
This approach provides several security advantages:
- Original wildcard private key never leaves secure storage
- Compromise of app1.key only affects the specific subdomain
- Certificate chain still validates through the trusted wildcard cert
For enhanced security, consider adding these parameters to the certificate generation:
openssl x509 -req -in app1.csr -CA wildcard.crt -CAkey wildcard.key \
-CAcreateserial -out app1.crt -days 90 -sha384 \
-extfile <(printf "subjectAltName=DNS:app1.example.com")
Always verify the generated certificate chain:
openssl verify -CAfile wildcard.crt app1.crt
Remember to set appropriate permissions on the generated key files (typically 400) and consider implementing certificate rotation policies for the derived certificates.
When dealing with distributed server infrastructure, security-conscious administrators often face a dilemma: how to deploy SSL certificates to remote servers while minimizing exposure of the master wildcard private key. The ideal solution would allow deriving subdomain-specific certificates from the wildcard certificate without CA reissuance.
Technically, this is possible through certificate chaining and OpenSSL's capabilities. The process involves:
- Creating a CSR for the specific subdomain
- Using the wildcard private key to sign it
- Establishing a proper certificate chain
Here's how to generate a subdomain certificate (app.example.com) from a wildcard (*.example.com) certificate:
# 1. Create private key for the subdomain (optional but recommended)
openssl genrsa -out app_example_com.key 2048
# 2. Create CSR for the subdomain
openssl req -new -key app_example_com.key -subj "/CN=app.example.com" -out app_example_com.csr
# 3. Sign the CSR using wildcard certificate's key
openssl x509 -req -in app_example_com.csr \
-CA wildcard_example_com.crt \
-CAkey wildcard_example_com.key \
-CAcreateserial \
-out app_example_com.crt \
-days 365
While this approach works, consider these security implications:
- The derived certificate inherits the wildcard cert's trust chain
- Compromise of the subdomain key doesn't expose the wildcard key
- Certificate revocation would still affect all derived certificates
For production environments, these alternatives might be better:
# Using OpenSSL's CA.pl for more control
openssl ca -config openssl.cnf \
-policy policy_anything \
-out app_example_com.crt \
-infiles app_example_com.csr
Always verify the generated certificate:
openssl verify -CAfile wildcard_example_com.crt app_example_com.crt
openssl x509 -in app_example_com.crt -text -noout
When deploying the derived certificate:
- Keep permissions restrictive (chmod 400)
- Use separate key pairs for critical subdomains
- Monitor certificate expiration dates