Why do some wildcard certificates have asterisk in subject field and some not?

ssl openssl

Certificates are valid for the Subject included in the certificate, but when there are any Subject Alternative Name entries, it is valid for those.

So limiting the openssl x509 output to only the subject is an inconclusive test.

A certificate with

    Subject: CN=*.example.com

    X509v3 Subject Alternative Name:
       DNS:*.example.com, DNS:example.com

is effectively equivalent to

    Subject: CN=example.com

    X509v3 Subject Alternative Name:
       DNS:example.com, DNS:*,example.com

and although the Subject can only list one name both certificates are valid for both the bare domain AND the subdomain wildcard.

As far as I know there is neither a convention nor a technical reason to prefer one of the above options to the other and you can expect to see both. What you see depends on the options originally used by the admin requesting the certificate.

And you commonly even see a completely different Subject when requesting the certificate for www.example.com when also one or more completely different domain names are in use:

    Subject: CN=example.NET

    X509v3 Subject Alternative Name:
       DNS:example.NET, DNS:*.example.NET, DNS:*.example.com, DNS:example.com

Displaying the SAN entries is not completely trivial in older versions of openssl that don't support the -ext subjectAltName option yet : https://stackoverflow.com/q/20983217

Will there be some certificates that are listed as CN = example.com in the "subject" field which are not wildcard and would break in the browser if I try to open "subdomain.example.com"?

The advent of Server Name Indication (SNI) means that a server is not limited to using only a single TLS certificate but can be configured with multiple certificates, each valid for different DNS names, DNS wildcards and possibly IP-addresses.

The fact that when you use SNI to connect to https://www.example.net:443 results in a certificate valid for only www.example.net (and no SAN entries) does not mean that requests for different hostname will result in an error.

Until you actually try it you won't know beforehand if connecting to the same server with an SNI request for other names will result in a certificate error.

If the server is configured with an separate additional and valid certificate for subdomain.example.net you won't know until you actually request https://subdomain.example.net:443

Related

Styling part of label in legend in matplotlib
Error: MapFragment cannot be cast to android.support.v4.app.Fragment
node.js /socket.io/socket.io.js not found
structured binding with [[maybe_unused]]
How to disable double click zoom for d3.behavior.zoom?
How to check if file exists in a Windows Store App?
SSRS 2008 - Dealing with division by zero scenarios
Incorrect syntax near ''
Renaming foreign-key columns in MySQL
What is the short cut in eclipse to terminate debugging/running?
Hide Angular UI Bootstrap popover when clicking outside of it
Can't Hide Status Bar—Swift 3, [duplicate]