SSL setup: UCC or wildcard certificates?

certificate ssl ssl-certificate openssl

I've scoured the web for a clear and concise answer to my SSL question, but to no avail. So here goes:

I have a web-service requiring SSL support for authentication pages. The root-level domain does not have the "www" - i.e., secure://domain.com - but localized pages use "language-code.domain.com", i.e. secure://ja.domain.com

So I need at least a wildcard SSL certificate that supports secure://*.domain.com

However, we also have a public sandbox environment at sandbox.domain.com, which we also need to support under localized domains - so secure://ja.sandbox.domain.com needs to also work.

The previous admin managed to purchase a wildcard SSL certificate for .domain.com, but with a Subject Alternative Name for "domain.com". So, I'm thinking of trying to get a wildcard certificate with SANs defined as "domain.com" and ".*.domain.com".

But now I'm getting confused because there seem to be separate SAN certificates, also called UCC certificates.

Can someone clarify whether it's possible to get a wildcard certificate with additional SAN fields, and ultimately what the best way is to support:

secure://domain.com secure://.domain.com secure://.*.domain.com

with the fewest (and cheapest!) number of SSL certificates?

Thanks!


Solution 1:

First, SAN certificate = UCC certificates. They are both just certificates with the SubjectAltName field.

Second, a wildcard of ..domain.com won't work in most browsers. You will either need to get two wildcard certificates (one for *.sandbox.domain.com and one for *.domain.com) or get a wildcard certificate for *.domain.com and have your SSL provider put a specific SubjectAltName of ja.sandbox.domain.com. I think DigiCert and GlobalSign offer this.

Solution 2:

According to http://ssl.com it is definitely technically possible to combine UCC and wildcard certificates. Essentially they recommend using a UCC certificate with one Subject Alt Name containing your wildcard: *.domain.com - They do note that you'll need to pay extra to have wildcards in the UCC.

  • https://info.ssl.com/faq-can-i-use-wildcard-domains-in-my-ucc-certificate/

To cover unlimited subdomains, just create the wildcard domains (ie *.sitename.com) in the common name field or as a SAN (Subject Alternative Name) when you purchase your UCC... You can even put other wildcards in the SAN fields such as *.sub1.sitename.com

  • http://answers.ssl.com/2903/can-use-wildcard-ssl-certificates-with-multi-domain-ucc-certs

Just create the wildcard domains (ie *.sitename.com) in the common name field and/or as a SANS (Subject Alternative Names) when you purchase a UCC (or create one). Most CAs will charge you each wildcard domain as a standard wildcard certificate.

Comodo for example notes when purchasing their UCC certificate that:

Wildcard domains can be added to a UCC for a $399.00 surcharge per domain.

  • https://ssl.comodo.com/unified-communications-uc-ssl-certificates.php

Let's Encrypt

From following the http://LetsEncrypt.com discussion boards it seems that this capability may also be included when it's available later in 2015

Related

Does Cloud Computing COST a premium? (or is it competitive with shared/managed/co-location)
--prefix to /usr/local or /opt?
Understanding that $A = \{x\in \ell_2: |x_n| \leq \frac{1}{n}, n = 1,2,...\}$ is compact in $l_2$.
Quaternions as a counterexample to the Gelfand–Mazur theorem
Are there two different ways to generalize the orthogonal group?
Show by contradiction that $a^n\to 0$
Method of False Position (Regular Falsi) - Pros/Cons
How do I find the Dual of the LP
Norman Window Optimization
Increasing functions are Baire one
How to evaluate this limit??
Example where Tietze Extension fails?