wildcard certificate does not work for sub-domain - ssl

I have created a wildcard certificate that works for for xxx.domain.com but not for aaa.bbb.domain.com
when creating the certificate:
Common Name (e.g. server FQDN or YOUR name) []:*.domain.com
but it seems to not be enough.

Wildcard SSL certificate matches only one level. See
Problems with SSL and multi level subdomains
wildcard ssl certificate does not cover www version, how do I fix?
https://serverfault.com/questions/296390/ssl-domain-problem-for-signed-asterisk-certificates
https://serverfault.com/questions/645230/why-does-my-wildcard-ssl-certificate-cause-a-domain-mismatch-error-on-a-second-l
https://serverfault.com/questions/87869/ssl-certificates-for-subdomain-example-com
https://security.stackexchange.com/questions/83245/ssl-cert-for-sub-domain-com-and-www-sub-domain-com
https://serverfault.com/questions/104160/wildcard-ssl-certificate-for-second-level-subdomain

Related

Custom TeamSpeak IP no longer working after adding SSL

I am currently using CloudFlare and recently added an SSL certificate to my script.
Before hand, I added an A record (proxied with CloudFlare) that pointed to my TS IP. It worked like this: ts.domain.net:PORT
However, after I added the SSL cert, it doesn't seem to work anymore.
If it matters, my main site IP is also (of course) proxied under CloudFlare
Thanks!
Every certificate contains one or more Subject Alternative Names. You can use the certificate only on domains that are listed as SAN within the certificate, as long as you don't have a wildcard certificate that can be used on a all subdomain, eg. *.mydomain.net.
Therefore for your TS server you need a certificate that contains the SAN ts.domain.net. If your current certificate is only for domain.net you need another certificate for your Teamspeak subdomain.

Bilingual domain wildcard SSL certificate?

I work on a web application with a wildcard cert -- multiple environments all as subdomains of the root domain, works pretty well.
The application is bilingual (english/french), and supports switching between the two, but the domain name remains english. Someone asked me about supporting a French domain name recently, and that sent me off into research mode.
There are apparently internationalized domain names and although the punycode domain feels pretty weird, the user experience seems ok. And there are multi-domain SSL certificates, which I guess would work if we weren't already using a wildcard certificate. Can you get a multi-domain wildcard cert so that you could accept requests on *.cats.ca and *.chats.ca (generic example of a domain name in french and english) or *.cats.com and *.gatos.com for an english/spanish site in America, where a single website host could respond to requests in SSL for subdomains of both domains?
I tried searching, didn't find much -- and I'm not totally convinced this is the right stack exchange, but most of the SSL cert questions I found were here.
There are certificates that do support multi domain wildcards. For example, this one issued by Comodo and another one issued by Digicert. You can probably check with your certificate provider on the availability and cost of such a certificate.
I agree with Anand's answer, Multi Domain Wildcard SSL certificates can protect both multiple domains and their unlimited number of sub-domains.
Domains and Sub-domains it can secure
Comodo offers 3 types of Multi domain wildcard certificates.
Comodo Multi Domain Wildcard - For Organization validation
Comodo Positive Multi-Domain Wildcard - For Domain Validation
Comodo UCC (Unified Communication) Wildcard - For Organization validation on Microsoft Exchange and OCS server.
Here's the deals for Multi Domain Wildcard certificates.

Exchange server wildcard certificate error

We have a local Exchange server that we are testing out. We also have a wildcard certificate and wanted to use that certificate for Exchange. We got the certificate installed correctly, but we get an error notice when Outlook connects to Exchange.
The error is:
"exchange.office.domain.com
...
The name on the security certificate is invalid or does not match the name of the site"
When I "View Certificate...", I see the correct certificate, issued to "*.domain.com"
I am not sure if the problem is that the * does not work for exchange.office, that is how we have the network setup however.
Does anyone know how we can get Exchange to work with the wildcard certificate (we do not want to buy another certificate for testing), or if the problem is the multi-host in the FQDN, how we can get around that?
Thanks for your thoughts.
I don't know if Exchange has their own rules, but for HTTPS a certificate for *.example.com does not match foo.subdomain.example.com. A wildcard is only valid for a single label and only for the leftmost label. See also https://security.stackexchange.com/questions/52478/why-does-firefox-not-trust-this-us-government-ssl-certificate/52479#52479
how we can get around that?
Your only options are to either change the hostname (or provide an alias) to match the certificate or to change the certificate to match the hostname.
Wildcard SSL Certificate can only secure first level domain name.
If you have purchased wildcard SSL certificate for 'domain.com', using wildcard you can secure '*.domain.com' sub-domains. (First Level)
If you have purchased wildcard SSL certificate for ".domain.com", using wildcard you can secure '..domain.com' sub-domains. (Second Level).
As you wants to secure "exchange.office.domain.com" , it is a second level domain name option. So to secure it you need to buy Wildcard SSL certificate for "office.domain.com".

How to choose a common name for different domain patterns

The common name for my SSL Key is .mydomain.com . What common name should i get issued so that i can use a URL like https://api.mydomain.com and https://api-test.mydomain.com ?
You can create a wildcard certificate using *.mydomain.com
Somehow wildcard ssl and simple domain ssl both are same. For your SSL key concern, the only change you should is common name. Wildcard ssl requires key for *.yourdomain.tld.
PS: All SSL CA requires 2048 bit CSR key.
Here you check how it makes difference and similar.
Technical Difference:
Simple ssl and wildcard ssl carry different common name. As explained above.
Simple SSL secures only www and non-www domain name. Where wildcard secures unlimited sub-domain names.
Similar terms:
Both requires domain control verification process. DCV process is compulsory for everyone to acquire ssl certificate.
Both support same technology ssl encryption.
Both requires 2048-bit CSR key.

Is it possible to get one SSL certificate *.mysubdomain.example.com and mysubdomain.example.com

Is it possible to get one SSL certificate *.mysubdomain.example.com and mysubdomain.example.com, I need because I am using 2 IP on my dedicated server but now I am moving to Azure on azure we can't add two https endpoint. or other solution for azure I need two https endpoint
You can purchase a wildcard SSL certificate that encrypts requests made to *.example.com. This will work for an unlimited number of third-level subdomains. To include the second-level (example.com) and forth-level (subforthlev.subthirdlev.example.com) or higher subdomains, you must find a certificate authority (CA) that allows you to include multiple subject alternate names (SANs) in the wildcard certificate. Each non third-level domain needs to be manually added as a SAN.
Edit: I've used DigiCert's wildcard certificates several times and I have not come across a browser or device that did not have their root certificate installed (see their compatibility list). DigiCert wildcard certs allow you to secure an unlimited number of subdomains regardless of the domain level. Excerpt from first link:
DigiCert WildCard ssl certificates are unique in allowing you to secure ANY subdomain of your domain, including multiple levels of subdomains with one certificate. For example, your WildCard for *.digicert.com com could include server1.sub.mail.digicert.com as a subject alternate name.
If you want your certificate to be valid for both *.mysubdomain.example.com and mysubdomain.example.com, it needs to have a Subject Alternative Name entry for both.
The *.mysubdomain.example.com wildcard expression doesn't cover mysubdomain.example.com.
These rules are defined in RFC 2818 and clarified in RFC 6125:
If the wildcard character is the only character of the left-most
label in the presented identifier, the client SHOULD NOT compare
against anything but the left-most label of the reference
identifier (e.g., *.example.com would match foo.example.com but
not bar.foo.example.com or example.com).
In practice, that's indeed how most browsers react.
It's however quite likely that a CA issuing a wildcard certificate for *.mysubdomain.example.com will also add a SAN for mysubdomain.example.com. Check with your CA.
You can use multiple SSL certificates and add them all to the same endpoint by automating the process of installing the certificates on the machine and add HTTPS bindings to IIS.
IIS 8 (Windows Server 2012) supports SNI, which enables you to add a "hostheader" to the HTTPS binding.
I'm a Microsoft Technical Evangelist and I have posted a detailed explanation and a sample "plug & play" source-code at:
http://www.vic.ms/microsoft/windows-azure/multiples-ssl-certificates-on-windows-azure-cloud-services/