SSL setup: UCC or wildcard certificates?

ssl certificate openssl ssl-certificate
9,164

Solution 1

First, SAN certificate = UCC certificates. They are both just certificates with the SubjectAltName field.

Second, a wildcard of ..domain.com won't work in most browsers. You will either need to get two wildcard certificates (one for *.sandbox.domain.com and one for *.domain.com) or get a wildcard certificate for *.domain.com and have your SSL provider put a specific SubjectAltName of ja.sandbox.domain.com. I think DigiCert and GlobalSign offer this.

Solution 2

According to http://ssl.com it is definitely technically possible to combine UCC and wildcard certificates. Essentially they recommend using a UCC certificate with one Subject Alt Name containing your wildcard: *.domain.com - They do note that you'll need to pay extra to have wildcards in the UCC.

To cover unlimited subdomains, just create the wildcard domains (ie *.sitename.com) in the common name field or as a SAN (Subject Alternative Name) when you purchase your UCC... You can even put other wildcards in the SAN fields such as *.sub1.sitename.com

Just create the wildcard domains (ie *.sitename.com) in the common name field and/or as a SANS (Subject Alternative Names) when you purchase a UCC (or create one). Most CAs will charge you each wildcard domain as a standard wildcard certificate.

Comodo for example notes when purchasing their UCC certificate that:

Wildcard domains can be added to a UCC for a $399.00 surcharge per domain.

Let's Encrypt

From following the http://LetsEncrypt.com discussion boards it seems that this capability may also be included when it's available later in 2015

Share:
9,164

Related videos on Youtube

Admin
Author by

Admin

Updated on September 17, 2022

Comments

  • Admin
    Admin over 1 year

    I've scoured the web for a clear and concise answer to my SSL question, but to no avail. So here goes:

    I have a web-service requiring SSL support for authentication pages. The root-level domain does not have the "www" - i.e., secure://domain.com - but localized pages use "language-code.domain.com", i.e. secure://ja.domain.com

    So I need at least a wildcard SSL certificate that supports secure://*.domain.com

    However, we also have a public sandbox environment at sandbox.domain.com, which we also need to support under localized domains - so secure://ja.sandbox.domain.com needs to also work.

    The previous admin managed to purchase a wildcard SSL certificate for .domain.com, but with a Subject Alternative Name for "domain.com". So, I'm thinking of trying to get a wildcard certificate with SANs defined as "domain.com" and ".*.domain.com".

    But now I'm getting confused because there seem to be separate SAN certificates, also called UCC certificates.

    Can someone clarify whether it's possible to get a wildcard certificate with additional SAN fields, and ultimately what the best way is to support:

    secure://domain.com secure://.domain.com secure://.*.domain.com

    with the fewest (and cheapest!) number of SSL certificates?

    Thanks!

    • Admin
      Admin about 14 years
      Subject Alternative Name
  • Jonas
    Jonas about 14 years
    Thanks Robert - you're absolutely right. I ended up getting two certs - one for the sub-domain, another for the sub-sub domain. I should also note, it seems some SSL providers include the root domain in the SAN as a complement, while others do not (in which case you'd need to register another cert). GoDaddy for example includes "domain.com" in the SAN when buying wildcard cert *.domain.com, but RapidSSL does not.
  • Arto Bendiken
    Arto Bendiken about 10 years
    At least since 2013, RapidSSL do include 'domain.com' in the wildcard certificates.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Error while creating self-signed SSL certificate
SSL certificate not accepted
SSL Error: self signed certificate in certificate chain
OpenSSL: how to generate a CSR with interactively solicited Subject Alternative Names (SANs)?
Testing SSL/TLS Client Authentication with OpenSSL
How to display the Subject Alternative Name of a certificate?
How to generate a self-signed SSL certificate using OpenSSL?
OpenSSL Verify Peer (Client) Certificate in C++
Connecting to MySQL server with ssl
Invalid CA certificate with self signed certificate chain