Why do some wildcard certificates have asterisk in subject field and some not?
Certificates are valid for the Subject included in the certificate, but when there are any Subject Alternative Name entries, it is valid for those.
So limiting the openssl x509
output to only the subject is an inconclusive test.
A certificate with
Subject: CN=*.example.com
X509v3 Subject Alternative Name:
DNS:*.example.com, DNS:example.com
is effectively equivalent to
Subject: CN=example.com
X509v3 Subject Alternative Name:
DNS:example.com, DNS:*,example.com
and although the Subject can only list one name both certificates are valid for both the bare domain AND the subdomain wildcard.
As far as I know there is neither a convention nor a technical reason to prefer one of the above options to the other and you can expect to see both. What you see depends on the options originally used by the admin requesting the certificate.
And you commonly even see a completely different Subject when requesting the certificate for www.example.com
when also one or more completely different domain names are in use:
Subject: CN=example.NET
X509v3 Subject Alternative Name:
DNS:example.NET, DNS:*.example.NET, DNS:*.example.com, DNS:example.com
Displaying the SAN entries is not completely trivial in older versions of openssl that don't support the -ext subjectAltName
option yet : https://stackoverflow.com/q/20983217
Will there be some certificates that are listed as
CN = example.com
in the "subject" field which are not wildcard and would break in the browser if I try to open "subdomain.example.com"?
The advent of Server Name Indication (SNI) means that a server is not limited to using only a single TLS certificate but can be configured with multiple certificates, each valid for different DNS names, DNS wildcards and possibly IP-addresses.
The fact that when you use SNI to connect to https://www.example.net:443
results in a certificate valid for only www.example.net
(and no SAN entries) does not mean that requests for different hostname will result in an error.
Until you actually try it you won't know beforehand if connecting to the same server with an SNI request for other names will result in a certificate error.
If the server is configured with an separate additional and valid certificate for subdomain.example.net you won't know until you actually request https://subdomain.example.net:443