Wildcard not working for sub-sub domain?

Solution 1:

From RFC 2818:

Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., .a.com matches foo.a.com but not bar.foo.a.com. f.com matches foo.com but not bar.com.

In order to work around this, UCC certificates, a.k.a. Wildcard certificates with Subject Alternate Names (SAN) have been introduced which allow you to specify (along with different domain names) multiple level subdomains as valid hostnames for the certificate. These certificates are supported by all of the major browsers.

Solution 2:

Wildcard certificates do not support sub-subdomains. In other words they are only good for the current domain level.

So if you buy a certificate for *.foo.com it will NOT also secure *.bar.foo.com.

There are various resources on-line including Verisign, GlobalTrust and others that explain this as well. It sucks I know!

Solution 3:

This is expected behviour. Excerpt from RFC2818 - HTTP Over TLS:

Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.