Ssl – If a sub domain is secure with a SSL certificate, will the sub-subdomain also be secure

sslssl-certificate

I have a standard SSL certificate I just purchased from Godaddy. Now it won't let me use a wild card for issuing the certificate for my domain. It says that the * wild card is not included in my product. Which means that I can only secure one domain like subdomain.example.com.

Now my question is that if I get the certificate issued for subdomain.example.com, will it be valid for subdomain2.subdomain.example.com also?

Best Answer

A certificate will only be valid for the names it was issued for. But, a certificate can contain multiple names so in your case you could get a certificate which contains both subdomain.example.com and subdomain2.subdomain.com or maybe just have *.subdmain.example.com. The latter would then match your subdomain2. Please not that a wildcard only matches a single label and that only a leftmost wildcard is possible, that is *.*.example.com is not possible and *.example.com will match subdomain.example.com but not subdomain2.subdomain.example.com or example.com.

Related Solutions

Wildcard SSL Certificate – Securing Root and Sub-Domains

There's some inconsistency between SSL implementations on how they match wildcards, however you'll need the root as an alternate name for that to work with most clients.

For a *.example.com cert,

a.example.com should pass
www.example.com should pass
example.com should not pass
a.b.example.com may pass depending on implementation (but probably not).

Essentially, the standards say that the * should match 1 or more non-dot characters, but some implementations allow a dot.

The canonical answer should be in RFC 2818 (HTTP Over TLS):

Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.

RFC 2459 says:

A "*" wildcard character MAY be used as the left-most name component in the certificate. For example, *.example.com would match a.example.com, foo.example.com, etc. but would not match example.com.

If you need a cert to work for example.com, www.example.com and foo.example.com, you need a certificate with subjectAltNames so that you have "example.com" and "*.example.com" (or example.com and all the other names you might need to match).

Ssl – the ssl certificate only work with ‘www.example.com’ and not with ‘example.com’

Since your certificate is valid for both example.com and www.example.com, and both domains are configured to use the same directories, there is no reason that I can see for having them as separate VirtualHosts. I would remove the second VirtualHost and change the first one to look like this:

   <VirtualHost *:443>
            ServerAdmin admin@example.com
            ServerName www.example.com
            ServerAlias example.com

[the rest of the config should look the same as it does in your post]

    </VirtualHost>

Best Answer

Related Solutions

Wildcard SSL Certificate – Securing Root and Sub-Domains

Ssl – the ssl certificate only work with ‘www.example.com’ and not with ‘example.com’

Related Topic