Ssl certificates for *.subdomain.example.com

certificatehttpssslssl-certificatewildcard

I plan on getting a wildcard certificate for my domain like *.example.com, but I've heard varying reports about whether it will also work with second-level subdomains like *.subdomain.example.com — reports that it works in Firefox but not in other browsers.

If I want it to work with all browsers, will I need to purchase a wildcard certificate for *.subdomain.example.com?

Is there a place for more definitive information on how this works and with what browsers?

Best Answer

Matching in wildcard certificates is done on a level-by-level basis, so if you want a certificate that will work for foo.sub.example.com as well as bar.example.com, you need a certificate that has alt names of both *.sub.example.com and *.example.com. If you wanted to also match baz.xyzzy.example.com you'd then need *.*.example.com (instead of *.sub.example.com). It all gets rather unpleasant, and you'd probably need to have a thorough chat with (and a phat checkbook for) your SSL certificate provider, as I can't imagine it's something they deal with daily.

Related Solutions

Ssl – Non-Wildcard SSL Certificate and Subdomains

The main limitation is that with one ip address you can have one ssl certificate.

Since you only want ssl on the blog then there's no problem with the setup you've proposed, just make it the only virtualhost listening on 443

# Virtualhosts on ports 80 and 443
NameVirtualHost *:80
NameVirtualHost *:443

# rewrite blog traffic to https
<VirtualHost *:80>
        ServerName blog.example.com
        DocumentRoot /var/www/blog
        RewriteEngine On 
        RewriteRule ^(.*)$ https://blog.example.com/$1 [R,L]
</VirtualHost>

<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl/server.key    
        ServerName blog.example.com
        DocumentRoot /var/www/blog
</VirtualHost>

<VirtualHost *:80>
        ServerName othersite.example.com
        DocumentRoot /var/www/other/
</VirtualHost>

The slight limitation here, is that the blog will catch all https traffic here, regardless of hostname, so https://othersite.example.com will point to the blog, and generate errors because the name doesn't match the certificate, but there's no way around that with one ip address.

SSL setup: UCC or wildcard certificates

First, SAN certificate = UCC certificates. They are both just certificates with the SubjectAltName field.

Second, a wildcard of ..domain.com won't work in most browsers. You will either need to get two wildcard certificates (one for *.sandbox.domain.com and one for *.domain.com) or get a wildcard certificate for *.domain.com and have your SSL provider put a specific SubjectAltName of ja.sandbox.domain.com. I think DigiCert and GlobalSign offer this.

Best Answer

Related Solutions

Ssl – Non-Wildcard SSL Certificate and Subdomains

SSL setup: UCC or wildcard certificates

Related Topic