Is it possible to have a valid sub-subdomain with a wildcard certificate?
Solution 1
Well, you've already verified that you can't! Here's why:
From: http://www.ietf.org/rfc/rfc2818.txt
Names may contain the wildcard character * which is considered to match any single domain name
component or component fragment. E.g.,*.a.com
matchesfoo.a.com
but notbar.foo.a.com
.f*.com matches
foo.com
but notbar.com
.
Solution 2
The standards don't allow a wildcard to work on multiple levels. However, you can put the specific multilevel subdomain in as a Subject Alternative Name in the wildcard certificate and it will work. Some certificate providers (like DigiCert) allow this.
Solution 3
Yes, you can use wildcards. But they only extend to that level of subdomain.
*.example.com
works for test.example.com
but not for demo.test.example.com
.
You would have to specify *.*.example.com
in the certificate. I'm not sure this would continue working with test.example.com
.
David Barnes
I work as a Software Engineer in Minneapolis, Minnesota.
Updated on June 11, 2022Comments
-
David Barnes about 2 years
Say I have the following domain:
example.com
I have a Wildcard SSL certificate for this domain. Subdomains like
test.example.com
validate properly. However, when I try to use a domain likedemo.test.example.com
, I get an error message in all major browsers:demo.test.example.com uses an invalid security certificate. The certificate is only valid for the following names: *.example.com , example.com
Is it possible to use a wildcard certificate for a "sub-subdomain"?
-
Levite over 9 yearsCould the 3 downvoters please explain why this is not a useful answer? It seems correct to me from a technical standpoint, at least when RFC 2818 is implemented correctly! Also he has a good point of saing, that certain CAs might not issue multilevel wildcard certificates (although some offer them, even several levels down - digicert used to promote this for example)
-
Barry over 6 yearsNot a downvoter, but having tried this to create a
*.local, *.*.local
certificate with openssl, this doesn't appear to work in practice. Chrome complains that the "The server could not prove that it is x.y.local; its security certificate is from *.local". However, regenerating the certificate with*.local, *.y.local
does work.