ssl certificates for *.subdomain.example.com

I plan on getting a wildcard certificate for my domain like *.example.com, but I've heard varying reports about whether it will also work with second-level subdomains like *.subdomain.example.com -- reports that it works in Firefox but not in other browsers.

If I want it to work with all browsers, will I need to purchase a wildcard certificate for *.subdomain.example.com?

Is there a place for more definitive information on how this works and with what browsers?


Solution 1:

Matching in wildcard certificates is done on a level-by-level basis, so if you want a certificate that will work for foo.sub.example.com as well as bar.example.com, you need a certificate that has alt names of both *.sub.example.com and *.example.com. If you wanted to also match baz.xyzzy.example.com you'd then need *.*.example.com (instead of *.sub.example.com). It all gets rather unpleasant, and you'd probably need to have a thorough chat with (and a phat checkbook for) your SSL certificate provider, as I can't imagine it's something they deal with daily.

Solution 2:

You either need to get separate wildcard certificates for each level, or have your SSL provider put in multiple levels or specific hostnames as SANs in the wildcard certificate for *.example.com (if you can find a provider to do this).