Can I use the same wildcard certification for *.domain.com and domain.com

certificate ssl openssl wildcard

Solution 1:

I seem to recall that *.domain.com actually violates RFC anyways (I think only lynx complains though :)

Create a certificate with domain.com as the CN and *.domain.com in the subjectAltName:dNSName names field - that works.

For openssl, add this to the extensions:

subjectAltName          = DNS:*.domain.com

Solution 2:

Unfortunately you cannot do this. The rules for handling wildcards on subdomains are similar to the rules about cookies for subdomains.

www.domain.com       matches    *.domain.com
secure.domain.com    matches    *.domain.com
domain.com      does not match  *.domain.com
www.domain.com  does not match  domain.com

To handle this you will have to obtain two certificates, one for *.domain.com and the other for domain.com. You will need to use two separate IP address and vhosts two handle these domains separately.

Solution 3:

Wildcards these days will have *.domain.com and domain.com in the subject alternative name field (SAN). For instance take a look at quora.com's wildcard SSL cert

You will see

Subject Alternative Names: *.quora.com, quora.com

Related

Examples of falsified (or currently open) longstanding conjectures leading to large bodies of incorrect results.
Difference between "for any" and "for all"?
Could these polynomials be identified?
Are Clifford algebras and differential forms equivalent frameworks for differential geometry?
LU Decomposition vs. Cholesky Decomposition
How to create mazes on the hyperbolic plane?
What is the difference between natural cubic spline, Hermite spline, Bézier spline and B-spline?
history of the double root solution of $ay''+by'+cy=0$
What is a closed form of $\int_0^1\ln(-\ln x)\ \text{li}\ x\ dx$
Classifying the compact subsets of $L^p$
Metrizable compactifications
How to interpret "computable real numbers are not countable, and are complete"?