When you have several subdomains under one main domain, setting up security for each one separately can be time-consuming and confusing. That’s where Wildcard SSL Certificates are really useful. They let you secure your main domain and all its subdomains with just one certificate. It saves time, effort, and money.

Whether you're a developer, sysadmin, or business owner, this guide will help you confidently install SSL certificate on Nginx server and verify your website is protected.

What Is a Wildcard SSL Certificate?

A Wildcard SSL Certificate is an SSL certificate that allows you to secure a primary domain & all its subdomains with a single certificate. For example, a subdomain SSL certificate for *.example.com would cover:

  • www.example.com
  • blog.example.com
  • mail.example.com

and any other subdomain of example.com

This makes Wildcard certificates ideal for businesses or platforms managing multiple services under a single domain structure.

Prerequisites Before Installation

Before we dive into the installation steps, here’s what you’ll need:

  • Access to your Nginx server (via SSH)
  • OpenSSL installed
  • A registered domain name with one or more subdomains
  • Root or sudo privileges on the server
  • A Wildcard SSL Certificate (purchased from a trusted Certificate Authority)

Let’s move to the actual steps for how to install the Wildcard SSL certificate on Nginx.

Step 1: Generate a CSR and Private Key Using OpenSSL

The first step is to generate a Certificate Signing Request (CSR) and a Private Key. The CSR contains your domain information and is required by the Certificate Authority (CA) to issue your Wildcard SSL.

Command to Generate CSR:

openssl req -new -newkey rsa:2048 -nodes -keyout your_domain.key -out your_domain.csr

When prompted, enter your details carefully:

  • Common Name: *.yourdomain.com (Include the asterisk for the wildcard)
  • Organization Name: Your company name
  • Organizational Unit: IT, Web Security, etc.
  • City/Locality, State, and Country: Match your business location

The above command creates two files:

  • your_domain.key — the private key (keep it secure!)
  • your_domain.csr — submit this file to your SSL provider

Step 2: Submit CSR and Purchase Wildcard SSL Certificate

Once your CSR is ready, submit it to your SSL provider to purchase your Nginx Wildcard certificate. After completing the domain validation process, the CA will issue your certificate.

You will typically receive a ZIP file containing:

  • Primary certificate (your_domain.crt)
  • Intermediate certificate(s) (CA_bundle.crt or similar)

Step 3: Upload Certificate Files to the Nginx Server

Next, log in to your Nginx server using SSH or FTP, and create a directory to store your SSL files:

sudo mkdir -p /etc/nginx/ssl

Upload the following files into this directory:

  • your_domain.crt(the wildcard certificate)
  • your_domain.key (the private key you generated)
  • CA_bundle.crt (the intermediate certificate)

Now, merge the certificate and CA bundle into one file for Nginx:

cat your_domain.crt CA_bundle.crt > bundle.crt

Step 4: Configure Nginx to Use the Wildcard SSL Certificate

Now it’s time to tell Nginx to use your new SSL certificate.

Edit your server block file (commonly found in /etc/nginx/sites-available/your-site or directly inside nginx.conf).

Here’s a sample configuration:

server {
    listen 443 ssl;
    server_name *.yourdomain.com;

    ssl_certificate /etc/nginx/ssl/bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/your_domain.key;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    location / {
        root /var/www/yourdomain.com;
        index index.html index.htm;
    }
}

Note: Replace yourdomain.com and file paths with your actual domain and directory structure.

Step 5: Test Your Nginx Configuration

Before restarting Nginx, always test your configuration to avoid downtime:

sudo nginx -t

If the test passes, reload Nginx to apply the new SSL settings:

sudo systemctl reload nginx

Step 6: Verify SSL Installation

You should now be able to visit your site using https://subdomain.yourdomain.com and see the secure padlock.

To double-check the configuration:

  • Use the OpenSSL command line: 
openssl s_client -connect subdomain.yourdomain.com:443

Look for a successful certificate chain and your wildcard domain listed.

Bonus Tips for Wildcard Certificate Installation on Nginx Server

- Regularly Renew Your SSL Certificate

Most SSL certificates are valid for 1 year (some for 13 months). Always keep track of the expiration and renew on time to avoid security warnings.

- Automate with Certificate Management Tools

Use certificate management solutions to automate renewals and deployment across multiple servers or services.

- Stay Updated

Make sure your Nginx web server is updated to the latest version. New versions often come with improved SSL/TLS protocol support and security patches.

Wrapping Up
Installing a Wildcard SSL certificate on Nginx may seem technical at first, but following these steps makes the process simple and secure. From CSR generation to Nginx configuration, every step ensures that your primary domain and all its subdomains are encrypted and protected from cyber threats.

To recap:

  • Generate CSR and private key
  • Purchase and validate your certificate
  • Upload and merge certificates
  • Update your Nginx config
  • Reload Nginx and test installation

With a properly configured Nginx Wildcard certificate, you’ll save time, streamline management, and enhance trust for every subdomain you own.