Enabling SSL/TLS on every site—whether in a home lab or in production—is a good practice. While Let’s Encrypt offers free certificates suitable for most setups, I prefer using eMudhra’s emSign CA, especially for wildcard certificates and environments where commercial CA validation is preferred.
This post documents the complete process of generating a wildcard SSL certificate using eMudhra’s emSign Certificate Authority. The workflow includes generating a private key and CSR, completing domain validation, and preparing a proper CA bundle for use in your servers or Kubernetes environments.
This guide applies to any Linux environment using OpenSSL.
1. Generate the Private Key and CSR
Begin by generating a 2048-bit RSA private key and Certificate Signing Request (CSR):
openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr
OpenSSL will prompt for certificate attributes. Fill them as shown:
Country Name (2 letter code) [AU]: IN
State or Province Name (full name) []: YourState
Locality Name (eg, city) []: YourCity
Organization Name (eg, company) []: YourOrgName
Organizational Unit Name (eg, section) []: AnyUnitName
Common Name (e.g. server FQDN or YOUR name) []: *.yourdomain.com
Email Address []: name@example.com
Important
For wildcard certificates, the Common Name must start with *., for example:
*.yourdomain.com
When prompted for additional optional fields:
A challenge password []:
An optional company name []:
Leave them empty.
This completes CSR generation.
Keep yourdomain.key safe—it will be required during server configuration.
2. Domain Ownership Validation
As part of the certificate issuance workflow, eMudhra will require domain control validation.
Typically this involves:
- eMudhra generating a unique token
- You adding a TXT record in your domain’s DNS
- Waiting for DNS propagation
- Completing validation in the portal
Keep your DNS management UI open while requesting the certificate.
3. Upload the CSR to eMudhra (emSign)
- Log in to your eMudhra/emSign portal.
- Upload the yourdomain.csr generated above.
- Complete the required domain validation steps.
- Once approved, the certificate will be issued.
You will receive a ZIP package containing:
CA_emSign SSL CA - G1→ ca.crtEndEntity_wc.yourdomain→ yourdomain.crtRootCA_emSign Root CA - G1→ root.crt
These form the certificate chain.
4. Prepare the CA Bundle
Most servers (Apache, NGINX, HAProxy, Ingress controllers, Docker Registry, etc.) require the intermediate + root certificates in a combined format.
Clean the intermediate certificate
openssl x509 -in ca.crt -out ca_clean.pem
Clean the root certificate
openssl x509 -in root.crt -out root_clean.pem
Combine them into a CA bundle
cat ca_clean.pem root_clean.pem > ca_bundle.crt
Clean temporary files
rm -f ca_clean.pem root_clean.pem
You now have the final files:
- yourdomain.key → Private key
- yourdomain.crt → End-entity wildcard certificate
- ca_bundle.crt → Combined intermediate + root CA
This bundle is required for proper certificate chain validation in most TLS stacks.
5. Deployment Overview
Apache (httpd)
SSLCertificateFile /path/to/yourdomain.crt
SSLCertificateKeyFile /path/to/yourdomain.key
SSLCertificateChainFile /path/to/ca_bundle.crt
NGINX
ssl_certificate /path/to/yourdomain.crt;
ssl_certificate_key /path/to/yourdomain.key;
ssl_trusted_certificate /path/to/ca_bundle.crt;
Docker Registry / Kubernetes
Place the certificates under:
/etc/docker/certs.d/<domain>:5000/
Files required:
yourdomain.crtca_bundle.crtyourdomain.key
Kubernetes Ingress controllers like NGINX, Traefik, HAProxy, and Istio can use the same files