We have a wildcard certificate for *.surfrock66.com which is used on the actual PlusPlus Hosted www.surfrock66.com site, and is used in the house on any services which are accessible at *.surfrock66.com. Each year, we must purchase it as an add-on to the business hosted package ($140/year), then submit a ticket to PlusPlus Hosting for them to provide a copy of the certificate as a .crt and the key as a .key. They will attach it to the ticket, then after you download it, remove it.
We download the files to sr66-web-01 at /home/surfrock66/Projects/SSL with the name “wildcard.surfrock66.com.YYYY.EXT” with YYYY as the current year, and EXT as the file extension.
The .crt file needs to be copied to “/etc/ssl/certs/wildcard.surfrock66.com.crt” and the .key needs to be copied to “/etc/ssl/private/wildcard.surfrock66.com.key”. This will apply to all apache sites, and apache needs to be restarted with “systemctl restart apache2”. Additionally, you will need the Intermediate certificate (formerly RapidSSL, now Digicert), which I place in /etc/ssl/certs/intermediate.surfrock66.crt. All of these certs in /etc/ssl/certs/ need to be owned by “root:ssl-certs” and must have 644 permissions, all the certs in /etc/ssl/private must be owned by “root:ssl-certs” and must have 640 permissions.
Servers that have the wildcard cert and need to be updated when it is renewed:
On sr66-ast-01 the files that reference the cert: