Debian

How to create a self-signed certificate for several levels of subdomains at once?

In general, I want a wildcard certificate for all levels of subdomains (the names of the levels and their number are not known)
That is, so that it picks up all such combinations, without the need to enumerate them.

73.test.loc
73.admin.test.loc
73.abc.loc
56.abc.loc
56.admin.test.loc
72.xyloc
....

#Создаем корневой сертификат, если еще не создан
if [ ! -f rootCA.pem ]; then
  openssl genrsa -out rootCA.key 2048
  openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
fi

#Cоздаем device.key, если еще не создан
if [ -f device.key ]; then
  KEY_OPT="-key"
else
  KEY_OPT="-keyout"
fi

#Cоздаем домен
DOMAIN='loc'
COMMON_NAME=${2:-$DOMAIN}
SUBJECT="/C=CA/ST=None/L=NB/O=None/CN=$COMMON_NAME"
NUM_OF_DAYS=999
openssl req -new -newkey rsa:2048 -sha256 -nodes $KEY_OPT device.key -subj "$SUBJECT" -out device.csr
cat v3.ext | sed s/%%DOMAIN%%/"$COMMON_NAME"/g > /tmp/__v3.ext
openssl x509 -req -in device.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out device.crt -days $NUM_OF_DAYS -sha256 -extfile /tmp/__v3.ext

Certificate Template

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = %%DOMAIN%%
DNS.2 = *.%%DOMAIN%%
DNS.3 = *.*.%%DOMAIN%%

rootCA.pem added to Chrome.
Apache pointed out

SSLCertificateFile    /home/ninazu/loc.crt
    SSLCertificateKeyFile /home/ninazu/device.key

It seems that it even pulled up the certificate,

but it swears at CN, as I understand it

NET::ERR_CERT_COMMON_NAME_INVALID

which I have
СN=*.loc