If you need a wildcard certificate, you would still follow the same flow, except you would use a regex(*) when generating the server certificate signing request.
$ openssl req -new -key server.key -out server.csr -subj "/CN=*.xyz.com"
This will enable you to authenticate with domains
xyz.com it self will not authenticate, so you will need to add it to the Subject Alternative Names:
$ openssl x509 -req -days 365 -extfile <(printf "subjectAltName=DNS:xyz.com,DNS:www.xyz.com") -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
Some good reference on the above: https://www.idmworks.com/wildcard-ssl-certificate-in-common-name-cn/