I followed the excellent write up how-do-you-sign-certificate-signing-request-with-your-certification-authority to create my own self-signed cert. I set the SAN for *.pro and *.pro.example.com
If I hit the web02.pro.example.com all works fine.
When I hit web02.pro it doesn't work:
curl --cacert cacert.pem https://web02.pro/version.html
curl: (51) SSL: no alternative certificate subject name matches target host name 'web02.pro'
web02.pro and web02.pro.example.com both resolve to the same machine, and that machine is set up to answer to both names.
The cert I generated shows:
X509v3 Subject Alternative Name:
DNS:*.pro, DNS:*.pro.example.com
Is there anything limit to using a not read TLD for a self-signed cert?
Many clients not only check that the hostname against all names in the certificate, but also only allow wildcards which are not too permissive. This means that wildcards like *.pro.example.com or *.example.com are considered valid while wildcards which only specify the top-level domain like *.pro are considered invalid and will not be included in the validation process.
This reason for this is that below a top-level domain you will usually find lots of domains with different owners. A wildcard certificate for *.pro would thus include domains from different owners which should better not be possible.
Related
I have created a wildcard certificate that works for for xxx.domain.com but not for aaa.bbb.domain.com
when creating the certificate:
Common Name (e.g. server FQDN or YOUR name) []:*.domain.com
but it seems to not be enough.
Wildcard SSL certificate matches only one level. See
Problems with SSL and multi level subdomains
wildcard ssl certificate does not cover www version, how do I fix?
https://serverfault.com/questions/296390/ssl-domain-problem-for-signed-asterisk-certificates
https://serverfault.com/questions/645230/why-does-my-wildcard-ssl-certificate-cause-a-domain-mismatch-error-on-a-second-l
https://serverfault.com/questions/87869/ssl-certificates-for-subdomain-example-com
https://security.stackexchange.com/questions/83245/ssl-cert-for-sub-domain-com-and-www-sub-domain-com
https://serverfault.com/questions/104160/wildcard-ssl-certificate-for-second-level-subdomain
We have a local Exchange server that we are testing out. We also have a wildcard certificate and wanted to use that certificate for Exchange. We got the certificate installed correctly, but we get an error notice when Outlook connects to Exchange.
The error is:
"exchange.office.domain.com
...
The name on the security certificate is invalid or does not match the name of the site"
When I "View Certificate...", I see the correct certificate, issued to "*.domain.com"
I am not sure if the problem is that the * does not work for exchange.office, that is how we have the network setup however.
Does anyone know how we can get Exchange to work with the wildcard certificate (we do not want to buy another certificate for testing), or if the problem is the multi-host in the FQDN, how we can get around that?
Thanks for your thoughts.
I don't know if Exchange has their own rules, but for HTTPS a certificate for *.example.com does not match foo.subdomain.example.com. A wildcard is only valid for a single label and only for the leftmost label. See also https://security.stackexchange.com/questions/52478/why-does-firefox-not-trust-this-us-government-ssl-certificate/52479#52479
how we can get around that?
Your only options are to either change the hostname (or provide an alias) to match the certificate or to change the certificate to match the hostname.
Wildcard SSL Certificate can only secure first level domain name.
If you have purchased wildcard SSL certificate for 'domain.com', using wildcard you can secure '*.domain.com' sub-domains. (First Level)
If you have purchased wildcard SSL certificate for ".domain.com", using wildcard you can secure '..domain.com' sub-domains. (Second Level).
As you wants to secure "exchange.office.domain.com" , it is a second level domain name option. So to secure it you need to buy Wildcard SSL certificate for "office.domain.com".
What CNAME do I need to generate a wildcard certificate and a hostname certificate in one.
Eg. I can generate *.blah.com and also blah.com, but *.blah.com doesn't match blah.com.
I want to know how I can generate a request to match both.
Thanks.
Since, your certificate is *.blah.com, it will not match to blah.com. It will only match to single level sub-domain of blah.com. Not event to a.b.blah.com.
To match certificate both, you can use subjectAltName extension and mention blah.com in its DNS here. Now, it will also match to blah.com.
To see the effect of subjectAltName, open https://kotak.com and https://www.kotak.com. Browser will open both without any complaint. This is because, in subjectAltName, it has also mentioned kotak.com.
The common name for my SSL Key is .mydomain.com . What common name should i get issued so that i can use a URL like https://api.mydomain.com and https://api-test.mydomain.com ?
You can create a wildcard certificate using *.mydomain.com
Somehow wildcard ssl and simple domain ssl both are same. For your SSL key concern, the only change you should is common name. Wildcard ssl requires key for *.yourdomain.tld.
PS: All SSL CA requires 2048 bit CSR key.
Here you check how it makes difference and similar.
Technical Difference:
Simple ssl and wildcard ssl carry different common name. As explained above.
Simple SSL secures only www and non-www domain name. Where wildcard secures unlimited sub-domain names.
Similar terms:
Both requires domain control verification process. DCV process is compulsory for everyone to acquire ssl certificate.
Both support same technology ssl encryption.
Both requires 2048-bit CSR key.
Is it possible to get one SSL certificate *.mysubdomain.example.com and mysubdomain.example.com, I need because I am using 2 IP on my dedicated server but now I am moving to Azure on azure we can't add two https endpoint. or other solution for azure I need two https endpoint
You can purchase a wildcard SSL certificate that encrypts requests made to *.example.com. This will work for an unlimited number of third-level subdomains. To include the second-level (example.com) and forth-level (subforthlev.subthirdlev.example.com) or higher subdomains, you must find a certificate authority (CA) that allows you to include multiple subject alternate names (SANs) in the wildcard certificate. Each non third-level domain needs to be manually added as a SAN.
Edit: I've used DigiCert's wildcard certificates several times and I have not come across a browser or device that did not have their root certificate installed (see their compatibility list). DigiCert wildcard certs allow you to secure an unlimited number of subdomains regardless of the domain level. Excerpt from first link:
DigiCert WildCard ssl certificates are unique in allowing you to secure ANY subdomain of your domain, including multiple levels of subdomains with one certificate. For example, your WildCard for *.digicert.com com could include server1.sub.mail.digicert.com as a subject alternate name.
If you want your certificate to be valid for both *.mysubdomain.example.com and mysubdomain.example.com, it needs to have a Subject Alternative Name entry for both.
The *.mysubdomain.example.com wildcard expression doesn't cover mysubdomain.example.com.
These rules are defined in RFC 2818 and clarified in RFC 6125:
If the wildcard character is the only character of the left-most
label in the presented identifier, the client SHOULD NOT compare
against anything but the left-most label of the reference
identifier (e.g., *.example.com would match foo.example.com but
not bar.foo.example.com or example.com).
In practice, that's indeed how most browsers react.
It's however quite likely that a CA issuing a wildcard certificate for *.mysubdomain.example.com will also add a SAN for mysubdomain.example.com. Check with your CA.
You can use multiple SSL certificates and add them all to the same endpoint by automating the process of installing the certificates on the machine and add HTTPS bindings to IIS.
IIS 8 (Windows Server 2012) supports SNI, which enables you to add a "hostheader" to the HTTPS binding.
I'm a Microsoft Technical Evangelist and I have posted a detailed explanation and a sample "plug & play" source-code at:
http://www.vic.ms/microsoft/windows-azure/multiples-ssl-certificates-on-windows-azure-cloud-services/