# First, generate the key. You will be prompted to enter a password, but we will strip it out in the next step:
openssl genrsa -des3 -out server.orig.key 2048
# Then, stip out the password:
openssl rsa -in server.orig.key -out server.key
# Edit the OSX openssl config file to include your alternate names.
# Edit the 'subjectAltName' field. E.g.:
#
# subjectAltName = "DNS:mydomain.com, DNS:*.beta.mydomain.com"
#
# You should use the wildcard for your primary (Common name) in the next step
# and set at least the root domain as a subjectAltName. This example will
# create a valid certificate for mydomain.com, *.mydomain.com and *.beta.mydomain.com
# If you do not set the root domain (mydomain.com) in this example as an alt name
# visitors will get a security warning when visiting https://mydomain.com, though not
# when visiting https://www.mydomain.com
sudo nano /System/Library/OpenSSL/openssl.cnf
# Generate the CSR:
openssl req -new -key server.key -out server.csr
# This step will require you to enter some information that will appear on the certificate.
# Only the first 4 fields plus the 'Common Name' (your main domain name) is required.
# For a wildcard subdomain, enter *.mydomain.com for the 'Common Name'. Here's an example:
#
#
# Country Name (2 letter code) [AU]:CA
# State or Province Name (full name) [Some-State]:Ontario
# Locality Name (eg, city) []:Toronto
# Organization Name (eg, company) [Internet Widgits Pty Ltd]:Your Company, Inc.
# Organizational Unit Name (eg, section) []:
# Common Name (eg, YOUR name) []:*.mydomain.com
# Email Address []:
# Finally, Check to see if it's as expected:
openssl req -text -noout -in server.csr
# Once you receive your certificate, you will probably have two or three .crt files.
# You'll probably have to concatenate them together into a single .crt (At least for Heroku or nGinx).
# E.g.:
cat STAR_mydomain_com.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > bundle.crt