Is it possible to have a valid sub-subdomain with a wildcard certificate?

apache ssl ssl-certificate
10,057

Solution 1

Well, you've already verified that you can't! Here's why:

From: http://www.ietf.org/rfc/rfc2818.txt

Names may contain the wildcard character * which is considered to match any single domain name
component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.

Solution 2

The standards don't allow a wildcard to work on multiple levels. However, you can put the specific multilevel subdomain in as a Subject Alternative Name in the wildcard certificate and it will work. Some certificate providers (like DigiCert) allow this.

Solution 3

Yes, you can use wildcards. But they only extend to that level of subdomain.

*.example.com works for test.example.com but not for demo.test.example.com.

You would have to specify *.*.example.com in the certificate. I'm not sure this would continue working with test.example.com.

Share:
10,057
David Barnes
Author by

David Barnes

I work as a Software Engineer in Minneapolis, Minnesota.

Updated on June 11, 2022

Comments

  • David Barnes
    David Barnes about 2 years

    Say I have the following domain:

    example.com

    I have a Wildcard SSL certificate for this domain. Subdomains like test.example.com validate properly. However, when I try to use a domain like demo.test.example.com, I get an error message in all major browsers:

    demo.test.example.com uses an invalid security certificate.

The certificate is only valid for the following names:
  *.example.com , example.com

    Is it possible to use a wildcard certificate for a "sub-subdomain"?

  • Levite
    Levite over 9 years
    Could the 3 downvoters please explain why this is not a useful answer? It seems correct to me from a technical standpoint, at least when RFC 2818 is implemented correctly! Also he has a good point of saing, that certain CAs might not issue multilevel wildcard certificates (although some offer them, even several levels down - digicert used to promote this for example)
  • Barry
    Barry over 6 years
    Not a downvoter, but having tried this to create a *.local, *.*.local certificate with openssl, this doesn't appear to work in practice. Chrome complains that the "The server could not prove that it is x.y.local; its security certificate is from *.local". However, regenerating the certificate with *.local, *.y.local does work.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Invalid CA certificate with self signed certificate chain
Apache HTTP Client javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
Apache reverse proxy set up SSL certificate
How do I pass the client certificate with HTTP client?
openssl unable to get local issuer certificate debian
Handling X-FORWARDED-PROTO header in Java web application
Apache Name Virtual Host with SSL
Change base domain name for Lets Encrypt SSL certificate
https: Apache TLS renegotiation: Debian, Apache2, openssl. How to?
Firebase Hosted flutter app shows not a secure connection error when launching an external URL