I bought a wildcard certificate for *.example.com. Now, I have to secure *.subdomain.example.com. Is it possible to create a sub-certificate for my wildcard-certificate?
If it is, how I can do this?
No, it is not possible. A wildcard inside a name only reflects a single label and the wildcard can only be leftmost. Thus *.*.example.org or www.*.example.org are not possible. And *.example.org will neither match example.org nor www.subdomain.example.org, only subdomain.example.org.
But you can have multiple wildcard names inside the same certificate, that is you can have *.example.org and *.subdomain.example.org inside the same certificate.
It is impossible to secure multi-level subdomains with a single wildcard certificate. If wildcard certificate issued for *.mydomain.tld, so it can secure only first-level subdomains of *.mydomain.com.
To secure your second-level subdomains, you have two choices.
Purchase another wildcard certificate for *.sub1.mydomain.tld. In that case, you need to manage two individual wildcard certificates.
You can go with a multi-domain wildcard certificate, where you can add up to 100 multiple domains or subdomains.
For example,
*.mydomain.tld
*.sub1.mydomain.tld
*.sub2.mydomain.tld
*.anydomain.com
It will secure your multiple domains and multi-level subdomains and reduce your hassle from multiple certificate management.
As per 7 year old article at https://www.digicert.com/news/2010-9-1-new-wildcard-features/ :
DigiCert Wildcard Plus certificates can secure any subdomain using
subject alternative names (SANs). A traditional wildcard certificate
for *.example.com will only secure a first-level subdomain of
example.com such as mail.example.com. DigiCert’s Wildcard Plus
certificate uses SANs to secure any subdomain of example.com,
including multi-level subdomains such as mail.internal.example.com.
With this new feature, all subdomains can be secured with a single
Wildcard Plus certificate from DigiCert. The base domain itself,
example.com, is automatically included as a SAN in every Wildcard Plus
certificate as well, which increases compatibility and protects
example.com with or without the “www.”
No, You can't create sub-certificate for your wildcard.
-> Your wildcard Certificate is for *.mydomain.tld, so as per Wildcard SSL guideline you can secure first level sub-domains. Means anything.mydomain.tld can be secured.
-> But if you want to use it to secure *.subdomain.mydomain.tld, which is for second level sub-domains, but wildcard certificate cant secure second level sub-domains.
Solution
-> You need to buy one more wildcard SSL Certificate for your second level sub-domain *.subdomain.mydomain.tld
Related
Our site has a lot sub-domains which we all secure with a wildcard SSL certificate. Now we want to add an EV-SSL certificate for our www sub-domain to increase security and trust in our site. The other sub-domains still have to use the wildcard certificate.
The site is configured as a single site on IIS 7 with all sub-domains listed as http(s) bindings.
Is it possible in IIS 7 to use these two certificate types on one domain?
Yes, it is possible to have two different certificates for the same domain name with the help of SNI technology and need to binding your certificates during configuration.
You need to request EV SSL certificate for your example.com which will secure both versions of the domain as www and non-www.
For subdomains security, you can apply for Wildcard SSL certificate for *.example.com
References –
https://www.ssl2buy.com/wiki/server-name-indication-sni-use-multiple-ssl-on-a-single-ip
https://support.comodo.com/index.php?/Knowledgebase/Article/View/639/0/certificate-installation-microsoft-iis-7x
No, it is not possible that you can use two SSL certificate type for same domain name. Because SSL certificate is issued to FQDN (Fully Qualified domain name).
So you can't use two SSL certificate for same domain name.
For example,
If you are using wildcard ssl certificate for blog.xyz.com then you can't take EV SSL certificate for that same domain name.
I have Wild Card SSL Certificate and i need to implement it on multiple domains. on first it is being implemented and on second i have to implement. Is it possible that i can implement the same certificate on Two Domains. Domains are hitting the same IP Address, means hosted on same server. But having different Domains first is like: https://erp.example.com and Second is http://app.example.com. Both application are differently hosted on IIS.
Please suggest.
If the certificate is a *.example.com cert, then yes, you can. That is, after all, the whole point of a wild card certificate: to support any domain combination of the base domain.
We do it ourselves.
I'm unsure if that is your actual question though.
If you have enabled your Wildcard SSL certificate for your domain *.example.com then yes you can secure both subdomains erp (.dot) example.com and app (.dot) example.com.
Below resources will help you to install Wildcard SSL certificate on IIS server very easily:
https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO19990
https://www.clickssl.net/blog/how-to-install-wildcard-ssl-certificate-in-iis-7
You are questioning about two domains, but actually you have two sub-domains under single domain and if you already have Wildcard SSL certificate, your all sub-domains will be protected. Wildcard SSL issued on *.example.com will automatically secure unlimited number of sub-domains. It does not really matter your sub-domains are hosted on same server or differently, you can secure all with Wildcard Certificate.
What will be secured with single Wildcard SSL;
https://app.example.com
https://erp.example.com
https://anything.example.com
Ps: Wildcard certificate will help you secure sub-domain only first level.
We have a multi tenant application which works based on domain wildcard registration, now we would wanted to add SSL certificate to our application,
So I need to correct approach on how it should be used,
I know about godaddy Wildcard SSL with which you can define un-limited no of subdomain and apply this certificate, but in our case the subdomain are not physically specified we are identifying it with wildcard only, all subdomain are pointing to single domain/server only just application who understands and behaves accordingly.
Can someone guide me on this.
A wildcard certificate is signed for CN=*.example.com
That means a HTTPS client/browser will match the invoked DNS name with the wildcard, and as long as it's a level one subdomain, it will match. That is because the * is a special token in the common name (CN).
So foo.example.com and bar.example.com will match. foo.bar.example.com will, however, not.
As far as the certificate is concerned, you don't have to define a list of valid subdomains anywhere.
So your guess is right, simply buy a wildcard certificate from your CA of choice and your done.
I have one website will be accessed by multiple different domains and will have separate SSL certificates for each.
Is it possible?
IF no then Is there any work around to install multiple certificates for single web site?
Instead of having separate SSL certificate for each domain you can go for Multi domain certificate using Subject Alternative Names (SAN). It will be single certificate with multiple domains. Following image shows SAN certificate.
Image Courtesy : DigiCert
SSL Certificate can only be issued to a FQDN (fully qualified domain name).
You better have elaborated your question with examples. By the way, let me guess and try to answer. As you said “You have one website – will be accessed by multiple different domains” - if I'm not wrong your are talking about one website which may be www.domain.com and multiple domains may be sub-domains like, blog.domain.com, photos.domain.com or anything.domain.com. If I have hit bulls eye, you don't need to get different SSL Certificates because all this domain can be secured with single Wildcard SSL Certificate. Wildcard SSL works on asterisk, so it will issued on *.domain.com and anything in place of asterisk will be covered.
But make a note, Wildcard SSL can work only on single level so something like blog.photos.domain.com will not be secured if you have got certificate for *.domain.com
Different Scenario: If you have something like this, domain.com, domain.co.uk, domain.com.eu etc. and it can be secured with different certificates. It may be costly deal if you have 20-30 or more domains, ideally you can get one multi-domain certificate to secure all these. Visit this article which will help you understand difference between Wildcard SSL and SAN functionality more deeply.
I am trying to set up SSL for the first time. I purchased my domain and SSL certificate from Gandi.net. Their docs say
subdomain.example.com indicates the subdomain that you want to
protect. This is the most important part. If you have a single-address
certificate to activate, you should put in the full subdomain (e.g.
foo.example.com). The www subdomain is added automatically by the CA,
for example, example.com will secure both example.com and
www.example.com If you have a wildcard certificate, you should put in
a * for the subdomain (e.g. *.example.com). Wildcard certificates also
secure the raw domain (with no subdomain).
- http://wiki.gandi.net/en/ssl/csr
I am hosting my app on Heroku and their docs say:
The Common Name field must match the secure domain. You cannot
purchase a certificate for the root domain, e.g., example.com, and
expect to secure www.example.com. The inverse is also true.
Additionally, SSL Endpoint only supports one certificate per app.
Please keep this in mind for multi-domain applications and specify a
Common Domain that matches all required domains.
- https://devcenter.heroku.com/articles/ssl-endpoint#acquire-ssl-certificate
These seem to conflict. Please advise!
You'll want to get a certificate from an authority that supports the Subject Alternate Name X.509 extension.
This will let you get a domain with its Common Name set to www.mydomain.com, and an Alternate Name set to mydomain.com(as Lloeki noted, you should provide both names as alternate names).
It depends what Certificate Authority(CA) you have been choosen to purchase certificate.
Some of them provide alternate domain name including "www" like option some of them no.
As you have written above:
I am hosting my app on Heroku and their docs say:
The Common Name field must match the secure domain. You cannot
purchase a certificate for the root domain, e.g., example.com, and
expect to secure www.example.com. The inverse is also true.
Additionally, SSL Endpoint only supports one certificate per app.
Please keep this in mind for multi-domain applications and specify a
Common Domain that matches all required domains. -
https://devcenter.heroku.com/articles/ssl-endpoint#acquire-ssl-certificate
It is true - because yourdomain.com and wwww.yourdomain.com are considered as different domains (multi-domain) and your certificate has to be trusted to recognize both of them. So before generating CSR string please attentively read requirements for CSR string and features provided by a CA.