Using wildcard for generating cert and key

hello, do my CN is acceptable for Istio? or should I just use domain.com instead of *.domain.com?

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=$domain.com Inc./CN=*.$domain.com' -keyout $domain.com.key -out $domain.com.crt

openssl req -out *.$domain.com.csr -newkey rsa:2048 -nodes -keyout *.$domain.com.key -subj "/CN=*.$domain.com/O=hello world from $domain.com"

openssl x509 -req -days 365 -CA $domain.com.crt -CAkey $domain.com.key -set_serial 0 -in *.$domain.com.csr -out *.$domain.com.crt

$ kubectl exec -i -n istio-system $(kubectl get pod -l istio=ingressgateway -n istio-system -o jsonpath=‘{.items[0].metadata.name}’) – cat /etc/istio/ingressgateway-certs/tls.crt | openssl x509 -text -noout | grep ‘Subject:’

    Subject: CN=*.domain.com, O=hello world from domain.com