Wildcard SSL certificate for second-level subdomain
Solution 1
RFC2818 states:
If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.
Internet Explorer behaves in the way outlined by the RFC, where each level needs its own wildcarded certificate. Firefox is happy with a single *.domain.com where * matches anything in front of domain.com, including other.levels.domain.com, but will also handle the *.*.domain.com types as well.
So, to answer your question: it is possible, and supported by browsers.
Solution 2
All answers here are outdated or not fully correct, not considering the RFC 6125 from 2011.
According to the RFC 6125, only a single wildcard is allowed in the most left fragment.
Valid:
*.sub.domain.tld
*.domain.tld
Invalid:
sub.*.domain.tld
*.*.domain.tld
domain.*
*.tld
sub.*.*
A fragment, or also called "label", is a closed component, e.g.: *.com
(2 labels) does not match label.label.com
(3 labels) - this has already been defined in RFC 2818.
Before 2011 in RFC 2818 the setting was not fully clear:
Specifications for existing application technologies are not clear or consistent about the allowable location of the wildcard character.
This has changed with RFC 6125 from 2011 (6.4.3):
The client SHOULD NOT attempt to match a presented identifier in which the wildcard character comprises a label other than the left-most label (e.g., do not match bar.*.example.net).
Solution 3
When Wildcard SSL certificate is issued for *.domain.com, you can secure your unlimited number of sub domains over the main domain.
For example:
- sub1.domain.com
- sub2.domain.com
- sub3.domain.com
- sub*.domain.com
If the Wildcard SSL certificate is issued on *.sub1.domain.com, in that case you can secure all second level subdomains which are listed under the sub1.domain.com
For example:
- aaa.sub1.domain.com
- bbb.sub1.domain.com
- ccc.sub1.domain.com
- ***.sub1.domain.com
If you want to secure limited number of sub domains and second level domains, then you can choose multi domain SSL that can secure up to 100 domain names with a single certificate.
For example:
- domain.com
- sub1.domain.com
- aaa.sub2.domain.com
- domain2.net
- domain3.org
You should know your actual requirements to choose an SSL certificate.
Solution 4
Just to confirm FF and IE 8 will NOT accept certificates in the form *.*.example.com
although it is technically possible to create them.
Solution 5
I was just doing some research on this as I have the same requirements to secure sub subdomains as well and came across a solution from DigiCert.
This certificates says it will support yourdomain.com
, *.yourdomain.com
, *.*.yourdomain.com
and so on.
It is currently rather pricy, but the hope is that other providers would start offering similar certificates and reduce prices.
Related videos on Youtube
Aleksander Blomskøld
Updated on September 17, 2022Comments
-
Aleksander Blomskøld over 1 year
I'd like to know if any certificates support a double wildcard like
*.*.example.com
? I've just been on the phone with my current SSL provider (register.com) and the girl there said they don't offer anything like that and that she didn't think it was possible anyway.Can anyone tell me if this is possible, and if browsers support this?
-
Mahn almost 9 yearsFYI for future visitors, no browser supports a double wildcard certificate ala
*.*.example.com
as of 2015. No idea why. -
William over 8 years@Mahn Then do you have to write
*.a.a.com
,*.b.a.com
,*.c.a.com
, ... manually? -
Mahn over 8 years@LiamWilliam apparently, I haven't found other combinations that browsers like up until now. It's a pain.
-
Nishanth over 5 years@William yes, but on the other hand, don't use the
.
to seperate things in your domain name which belong together - domains are domain concerns. Why would you needphpmyadmin.serverX.domain.com
, whenphpmyadmin-serverX.domain.com
is semantically more accurate and easier to handle in DNS and TLS terms.
-
-
Admin over 14 yearsThank you! Testing on FF 3.5.7 this morning showed that it is now RFC compliant in the same way as IE. It rejected my .example.com cert for foo.bar.example.com. So just to clarify all I need is another wildcard cert that has *..example.com as the Common Name?
-
Alex over 14 yearscorrect, based on that you would need a *.*.example.com
-
Robert over 14 yearsI just tested in FF 3.5 and IE 8 and neither would accept a certificate for ..example.com. I think the only solution is to use multiple wildcard certificates.
-
Brent Pabst about 12 yearsWho wrote this standard? This is worthless. Also a waste of money if you ask me. What does it protect?
-
Cathrine Rydning about 12 yearsIf double-wildcards cause problems, do specific subdomains around wildcards work? ala
SubjectAltName: DNS:foo.*.example.com, DNS:bar.*.example.com
-
Sandokas almost 9 yearsthis is the right approach. a wildcard cert having multiple (wildcard) names supported
-
William over 8 yearsThen do you have to write
*.a.a.com
,*.b.a.com
,*.c.a.com
manually? -
Mark Amery almost 7 years-1 for making a claim about Firefox's behaviour that flat-out contradicts what all other answers and comments on this page say, without providing any evidence nor any simple mechanism to test the claim.
-
nit17 about 6 yearsLol. @MarkAmery, I think that's a little bit of an overreaction considering the answer is 7 years older than your comment. And, the answer starts out by pointing out the RFC is unclear. It's really easy to test. (1) Create a cert with the wildcard domain (2) put it into a web server (3) Test on your own browser.
-
Mark Amery about 6 years@tudor FWIW, I just tested, and Firefox shows me a Your connection is not secure page when accessing
sub1.sub2.mydomain.com
with an*.mydomain.com
certificate, despite considering the cert valid forsub2.mydomain.com
. So, as best I can tell, this answer is indeed wrong, at least today. Considering that there was also a comment posted from someone saying that they couldn't reproduce the behaviour on the day that the answer was posted, I'm skeptical about whether it was ever correct. -
Nishanth almost 6 yearsThis is a good comprehension but does not answer the question. You mentioned all combinations but not the one the OP asked for (..domain.com).
-
Franklin Yu almost 6 years@William I think so. This is really unfortunate.
-
fragmentedreality almost 5 yearswith letsencrypt you can issue wildcards certs as well. And they allow for multiple SAN. So you can define a set of SAN. E.g.
-d *.domain.com -d *.sub1.domain.com -d *.sub2.domain.com
. -
sr9yar over 4 yearsI must note that answering guidelines require you to quote essential parts of an article in your answer body. Because this link may change over time or the article may get deleted. Otherwise it may not be considered an answer.