ssl certificates for *.subdomain.example.com

certificate https ssl ssl-certificate wildcard

I plan on getting a wildcard certificate for my domain like *.example.com, but I've heard varying reports about whether it will also work with second-level subdomains like *.subdomain.example.com -- reports that it works in Firefox but not in other browsers.

If I want it to work with all browsers, will I need to purchase a wildcard certificate for *.subdomain.example.com?

Is there a place for more definitive information on how this works and with what browsers?


Solution 1:

Matching in wildcard certificates is done on a level-by-level basis, so if you want a certificate that will work for foo.sub.example.com as well as bar.example.com, you need a certificate that has alt names of both *.sub.example.com and *.example.com. If you wanted to also match baz.xyzzy.example.com you'd then need *.*.example.com (instead of *.sub.example.com). It all gets rather unpleasant, and you'd probably need to have a thorough chat with (and a phat checkbook for) your SSL certificate provider, as I can't imagine it's something they deal with daily.

Solution 2:

You either need to get separate wildcard certificates for each level, or have your SSL provider put in multiple levels or specific hostnames as SANs in the wildcard certificate for *.example.com (if you can find a provider to do this).

Related

Restrict root ssh from all but one IP/hostname
Ways to monitor SIP termination on an asterisk server
Mono on Linux: Apache or Nginx
ZFS: RAIDZ versus stripe with ditto blocks
Fake alert viruses - Warning to users
High-availability on SQL Server, cons and pros of solutions?
Is it possible and how to mount an AIX disk into Linux?
Purposely setting poor Signal Quality on my own WiFi
How to enable ANSI escape codes in Windows cmd?
VoIP phone recommendation with good speakerphone under $300 [closed]
Failure rate statistics for cisco switches
Error installing a .NET Windows service with InstallUtil