Wildcard certificate with prefix
I need to have a wildcard certificate that recognizes a prefix; so it would be
www.*.example.com
. That means,www.one.example.com
,www.two.example.com
,www.three.example.com
, etc would all work correctly.
Is this possible, and is there a certificate provider that can do this?
No. According to the rules of the CA browser forum, RFC2818 and RFC6125 only one wildcard is allowed and only in the leftmost label. Which means there is no www.*.example.com
and no *.*.example.com
either. You need instead to add all the domains you need in the subject alternative name part of the certificate, but you could have multiple entries and and you can use wildcards, i.e. *.sub1.example.com
, *.sub2.example.com
etc.
Such certificates with multiple wildcard names are common (look at the certificate for Facebook) which means there are certificate providers which offer these certificates. But they will cost more than others.
Create a .cnf
-file like the following, which you use with openssl req -new -out example.com.csr -key example.com.key -config example.com.cnf
.
You can create the keyfile using
openssl genrsa -out example.com.key 4096
The example.com.cnf
file:
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
commonName = example.com
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.2 = *.example.com
Maybe do you need to use SubjectAltName.
Take a look at: http://wiki.cacert.org/FAQ/subjectAltName