*.domain.com wildcard not working for subdomain.subdomain.domain.com [duplicate]

Solution 1:

RFC2818 states:

If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.

Internet Explorer behaves in the way outlined by the RFC, where each level needs its own wildcarded certificate. Firefox is happy with a single *.domain.com where * matches anything in front of domain.com, including other.levels.domain.com, but will also handle the *.*.domain.com types as well.

So, to answer your question: it is possible, and supported by browsers.

Solution 2:

All answers here are outdated or not fully correct, not considering the RFC 6125 from 2011.

According to the RFC 6125, only a single wildcard is allowed in the most left fragment.

Valid:

*.sub.domain.tld
*.domain.tld

Invalid:

sub.*.domain.tld
*.*.domain.tld
domain.*
*.tld
sub.*.*

A fragment, or also called "label", is a closed component, e.g.: *.com (2 labels) does not match label.label.com (3 labels) - this has already been defined in RFC 2818.

Before 2011 in RFC 2818 the setting was not fully clear:

Specifications for existing application technologies are not clear or consistent about the allowable location of the wildcard character.

This has changed with RFC 6125 from 2011 (6.4.3):

The client SHOULD NOT attempt to match a presented identifier in which the wildcard character comprises a label other than the left-most label (e.g., do not match bar.*.example.net).