Wildcard SSL certificate for second-level subdomain

certificate ssl subdomain wildcard

Solution 1:

RFC2818 states:

If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.

Internet Explorer behaves in the way outlined by the RFC, where each level needs its own wildcarded certificate. Firefox is happy with a single *.domain.com where * matches anything in front of domain.com, including other.levels.domain.com, but will also handle the *.*.domain.com types as well.

So, to answer your question: it is possible, and supported by browsers.

Solution 2:

All answers here are outdated or not fully correct, not considering the RFC 6125 from 2011.

According to the RFC 6125, only a single wildcard is allowed in the most left fragment.

Valid:

*.sub.domain.tld
*.domain.tld

Invalid:

sub.*.domain.tld
*.*.domain.tld
domain.*
*.tld
sub.*.*

A fragment, or also called "label", is a closed component, e.g.: *.com (2 labels) does not match label.label.com (3 labels) - this has already been defined in RFC 2818.

Before 2011 in RFC 2818 the setting was not fully clear:

Specifications for existing application technologies are not clear or consistent about the allowable location of the wildcard character.

This has changed with RFC 6125 from 2011 (6.4.3):

The client SHOULD NOT attempt to match a presented identifier in which the wildcard character comprises a label other than the left-most label (e.g., do not match bar.*.example.net).

Solution 3:

When Wildcard SSL certificate is issued for *.domain.com, you can secure your unlimited number of sub domains over the main domain.

For example:

  • sub1.domain.com
  • sub2.domain.com
  • sub3.domain.com
  • sub*.domain.com

If the Wildcard SSL certificate is issued on *.sub1.domain.com, in that case you can secure all second level subdomains which are listed under the sub1.domain.com

For example:

  • aaa.sub1.domain.com
  • bbb.sub1.domain.com
  • ccc.sub1.domain.com
  • ***.sub1.domain.com

If you want to secure limited number of sub domains and second level domains, then you can choose multi domain SSL that can secure up to 100 domain names with a single certificate.

For example:

  • domain.com
  • sub1.domain.com
  • aaa.sub2.domain.com
  • domain2.net
  • domain3.org

You should know your actual requirements to choose an SSL certificate.

Related

How I can identify which process is making UDP traffic on Linux?
SFTP logging: is there a way?
How do I redirect subdomains to a different port on the same server?
What solutions exist to allow the use of revision control for server configuration files? [closed]
What is a good SSH server to use on Windows? [closed]
Non-volatile cache RAID controllers: what kind of protection is there against NVCACHE failure?
Set root domain record to be a CNAME
In DNS can an IN NS point to a CNAME?
Is there a big difference between CentOS 6.4 to 6.2 and should I up/down-grade?
Why multiple PTR records in DNS is not recommended?
DNS just started resolving my server.prod addresses to 127.0.53.53
FTP and Apache permission issues