I’ve done my own self signed certificates before, but since I do this so infrequently, it is not something that I tend to keep in my brain long. (That’s what Google is for, right?!?)  So when I went to find out how to do this again, I found the most concise information on how to create a self-signed wildcard SSL certificate than any of my previous endeavors to cobble this information together.

Creating the self-signed wildcard SSL certificate

Courtesy of Justin Samuel, here it is:
mkdir /usr/share/ssl/certs/hostname.domain.com
cd /usr/share/ssl/certs/hostname.domain.com
(umask 077 && touch host.key host.cert host.info host.pem)
openssl genrsa 2048 > host.key
openssl req -new -x509 -nodes -sha1 -days 3650 -key host.key > host.cert
...[enter *.domain.com for the Common Name]...
openssl x509 -noout -fingerprint -text < host.cert > host.info
cat host.cert host.key > host.pem
chmod 400 host.key host.pem

Obviously, you can 1) create this directory wherever you want and 2) should probably substitute the word “host” for whatever your hostname is to decrease confusion.

What now?

All that remains is to tell apache (or whatever needs to use the certificate) about it.  Here’s my code to get it installed on apache:
SSLEngine on
SSLCertificateFile /path/to/host.cert
SSLCertificateKeyFile /path/to/host.key
SSLProtocol all

What about my NameVirtualHost?

Aye, there’s the rub.  Due to the nature of the SSL layer in HTTPS, negotiating a secure connection happens before the HTTP protocol is initiated. That means that at the time the SSL layer is in play, the “Host” header has not been sent and, therefore, apache cannot determine which NameVirtualHost to use.

But, frankly, if you’re self-signing your certificates, the browser is going to throw a warning anyway. Might as well just make it as generic as possible and then all traffic running on through the HTTPS port will share the same certificate.