Can I use the same wildcard certification for *.domain.com and domain.com

ssl certificate openssl wildcard
11,341

Solution 1

I seem to recall that *.domain.com actually violates RFC anyways (I think only lynx complains though :)

Create a certificate with domain.com as the CN and *.domain.com in the subjectAltName:dNSName names field - that works.

For openssl, add this to the extensions:

subjectAltName          = DNS:*.domain.com

Solution 2

Unfortunately you cannot do this. The rules for handling wildcards on subdomains are similar to the rules about cookies for subdomains.

www.domain.com       matches    *.domain.com
secure.domain.com    matches    *.domain.com
domain.com      does not match  *.domain.com
www.domain.com  does not match  domain.com

To handle this you will have to obtain two certificates, one for *.domain.com and the other for domain.com. You will need to use two separate IP address and vhosts two handle these domains separately.

Solution 3

Wildcards these days will have *.domain.com and domain.com in the subject alternative name field (SAN). For instance take a look at quora.com's wildcard SSL cert

You will see

Subject Alternative Names: *.quora.com, quora.com

Solution 4

Probably not the answer you're looking for, but I'm 99% sure there isn't a way. Redirect http://domain.com/ to https://www.domain.com/ and just use the *.domain.com as the SSL cert. It's far from perfect, but should hopefully cover most of the cases you are interested in. The only other alternative is to use different IP addresses for domain.com and www.domain.com. Then you can use different certificates for each IP.

Solution 5

No because they are completely different name space. redirecting the tld is not an option either because SSL is a transport encryption it has to decode the ssl before apache for example can even see the request host to redirect it.

Also as a side note: foo.bar.domain.com is also not valid for a wildcard cert (firefox from memory is the only one that will allow that.

Share:
11,341

Related videos on Youtube

Unknown
Author by

Unknown

Updated on September 17, 2022

Comments

  • Unknown
    Unknown over 1 year

    You can make an SSL certificate by using *.domain.com as the name.

    But unfortunately, this doesn't cover https://domain.com

    Is there any fix for this?

  • Unknown
    Unknown almost 15 years
    Awww, I just tried it and it doesn't work, at least in firefox.
  • Steve Townsend
    Steve Townsend almost 15 years
    A detail: Ensure *.domain.com is in the subjectAltName:dNSName field
  • Deb
    Deb almost 15 years
    You are correct. "domain.com" is a subdomian of ".com", so the wildcard that would work for it would be "*.com". This is why a cert for *.domain.com works for "www.domain.com" but not, "www.acct.domain.com".
  • Unknown
    Unknown almost 15 years
    @Supermathie how do I do that in the command line?
  • Steve Townsend
    Steve Townsend almost 15 years
    You can't do it directly on the command line, but you can use -extfile and -extensions.
  • Doug Luxem
    Doug Luxem almost 15 years
    +1...this is how we handle our wildcard certificates. I can't commend on how to do this with openssl though.
  • ceejayoz
    ceejayoz over 11 years
    Just confirmed this on one of my own wildcard certs (from Comodo) - non-www worked just fine.
  • John Kloian
    John Kloian almost 9 years
    You can absolutely do this - its done all the time - see above answer. This is accomplished using the CN and the subject alternate name extension. techbrahmana.blogspot.com/2013/10/…
  • Joshua Pinter
    Joshua Pinter over 4 years
    Works fine for me! Thanks!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Error while creating self-signed SSL certificate
OpenSSL Verify Peer (Client) Certificate in C++
SSL certificate not accepted
SSL certificate generated with OpenSSL not working on NSS
Unable to load Key pair from p12 certificate - OPENSSL error
SSL issue: The private key did not match the public key provided
Can't verify an openssl certificate against a self signed openssl certificate?
openssl p12 generation failing with CA bundle chain option
Can it be found out, what websites/domains an SSL (pem) certificate approves of?
Decrypt PEM containing key and certificate