KNOWLEDGE BASE
Log In    |    Knowledge Base    |    4D Home
Tech Tip: Configuring a Wildcard SSL/TLS Certificate
PRODUCT: 4D | VERSION: 20 | PLATFORM: Mac & Win
Published On: July 22, 2025

A wildcard certificate for *.my-domain.com secures all first-level subdomains such as ed.my-domain.com or app.my-domain.com with a single certificate. To follow the steps bellow, you must have control over a domain like my-domain.com with the ability to modify DNS records through your provider. Install Certbot, a Let’s Encrypt client, by following the official documentation for Windows or macOS . Additionally, install OpenSSL for certificate verification, and confirm that port 443 for HTTPS is open on your server and not blocked by any firewalls.

Generate the Wildcard Certificate

Run Certbot with the DNS-01 challenge to obtain a wildcard certificate for *.my-domain.com:
certbot certonly --manual --preferred-challenges dns -d "*.my-domain.com"

Follow Certbot prompts by entering your email address for renewal notifications and agreeing to the terms of service. When prompted, Certbot will provide a DNS TXT record. Log in to your domain’s DNS provider and add the TXT record as instructed. Wait for DNS propagation, typically 5–15 minutes, depending on your provider. Verify propagation with:

nslookup -type=TXT _acme-challenge.my-domain.com

Certbot will validate the DNS record and issue the certificate. The output files are stored in C:\Certbot\live\my-domain.com\ on Windows or /etc/letsencrypt/live/my-domain.com/ on macOS. Key files include privkey.pem , fullchain.pem, and cert.pem .

Verify the Certificate

Confirm the certificate covers *.my-domain.com:
openssl x509 -in /etc/letsencrypt/live/my-domain.com/fullchain.pem -text -noout

On Windows, replace the path with C:\Certbot\live\my-domain.com\fullchain.pem. Look for DNS:*.my-domain.com in the Subject Alternative Name (SAN) field. Verify the private key matches the certificate:
openssl x509 -noout -modulus -in /etc/letsencrypt/live/my-domain.com/fullchain.pem | openssl md5
openssl rsa -noout -modulus -in /etc/letsencrypt/live/my-domain.com/privkey.pem | openssl md5

The MD5 hashes must match. If they differ, the private key is incorrect.

Test the Configuration

Test the SSL/TLS connection from the server:
openssl s_client -connect ed.my-domain.com:443

Replace ed.my-domain.com with your subdomain. This should display the certificate chain and a successful handshake. Open a browser and navigate to https://ed.my-domain.com, then verify the certificate (click the padlock icon) shows *.my-domain.com issued by Let’s Encrypt.