Say I have the following domain:
example.com
I have a Wildcard SSL certificate for this domain. Subdomains like test.example.com validate properly. However, when I try to use a domain like demo.test.example.com, I get an error message in all major browsers:
demo.test.example.com uses an invalid security certificate.
The certificate is only valid for the following names:
*.example.com , example.com
Is it possible to use a wildcard certificate for a "sub-subdomain"?
Well, you've already verified that you can't! Here's why:
From: http://www.ietf.org/rfc/rfc2818.txt
Names may contain the wildcard character * which is considered to
match any single domain name
component or component fragment. E.g.,
*.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com
but not bar.com.
The standards don't allow a wildcard to work on multiple levels. However, you can put the specific multilevel subdomain in as a Subject Alternative Name in the wildcard certificate and it will work. Some certificate providers (like DigiCert) allow this.
Yes, you can use wildcards. But they only extend to that level of subdomain.
*.example.com works for test.example.com but not for demo.test.example.com.
You would have to specify *.*.example.com in the certificate. I'm not sure this would continue working with test.example.com.
Technically you could specify the following alternative names in the certificate and then it should work:
example.com
*.example.com
*.*.example.com
I don't know if there are certificate authorities that provide such certificates.
Related
In terms of wildcard ssl certificate, *bar.example.net would match domains like foobar.example.net, but will it also match bar.example.net ?
First of all, *bar.example.net is not valid, it should be *.bar.example.net. This already advances the answer, which is: no, *.bar.example.net does not match bar.example.net.
As Marcos said, you have to provide two entries for domain.com and *.domain.com which will cover for the main domain and any subdomain of the main domain.
We have a multi tenant application which works based on domain wildcard registration, now we would wanted to add SSL certificate to our application,
So I need to correct approach on how it should be used,
I know about godaddy Wildcard SSL with which you can define un-limited no of subdomain and apply this certificate, but in our case the subdomain are not physically specified we are identifying it with wildcard only, all subdomain are pointing to single domain/server only just application who understands and behaves accordingly.
Can someone guide me on this.
A wildcard certificate is signed for CN=*.example.com
That means a HTTPS client/browser will match the invoked DNS name with the wildcard, and as long as it's a level one subdomain, it will match. That is because the * is a special token in the common name (CN).
So foo.example.com and bar.example.com will match. foo.bar.example.com will, however, not.
As far as the certificate is concerned, you don't have to define a list of valid subdomains anywhere.
So your guess is right, simply buy a wildcard certificate from your CA of choice and your done.
I created Wildcard certificate to support my site domain and subdomains.
The new certificate works for my subdomains (e.g www.mydomain.com , sub.mydomain.com)
But when I try to get to mydomain.com I get certificate warning: "the certificate is only valid for *.mydomain.com"
Is it a problem with my configuration or just the Wildcard certificate doesn't support it?
For supporting both example.com and subdomain.example.com the certificate needs to include both *.example.com and example.com as subject alternative names. I assume that the last one is missing from your certificate.
I guess you have purchased wildcard ssl certificate from thawte or symantec, which does not support equally www and non-www. In the past, I purchased thawte wildcard certificate and faced the same type of issue. I just discussed with my vendor to get the solution, they gave me technical support instantly and suggest alphassl wildcard -
https://www.ssl2buy.com/alphassl-wildcard.php. After that, I switched over to alphassl wildcard that works fine on my both domain names mydomain.com, www.mydomain.com as well anything.mydomain.com.
I want to buy a multidomain wildcard certificate for 2 domains: *.domain1.org and *.domain2.org
How i should generate the CSR? Because I have tried to generate it using as common name *.domain1.org but the website where I try to buy not accept wildcard in the common name. In addition, if I only specify one domain in common name, it would be valid for the other domain?
For a Multi Domain wildcard certificate the CSR is to be generated for a non wildcard domain name (like www.domain.com or domain.com).
While completing your order, you have to specify the Wildcard domain names in the Additional domain names list as follows:
*.domain1.com
*.domain2.com
You will need one certificate for each domain. You can't place the wildcard where the domain should be. *.domain1.org and *.domain2.org will work. But *.org will not.
I am trying to set up SSL for the first time. I purchased my domain and SSL certificate from Gandi.net. Their docs say
subdomain.example.com indicates the subdomain that you want to
protect. This is the most important part. If you have a single-address
certificate to activate, you should put in the full subdomain (e.g.
foo.example.com). The www subdomain is added automatically by the CA,
for example, example.com will secure both example.com and
www.example.com If you have a wildcard certificate, you should put in
a * for the subdomain (e.g. *.example.com). Wildcard certificates also
secure the raw domain (with no subdomain).
- http://wiki.gandi.net/en/ssl/csr
I am hosting my app on Heroku and their docs say:
The Common Name field must match the secure domain. You cannot
purchase a certificate for the root domain, e.g., example.com, and
expect to secure www.example.com. The inverse is also true.
Additionally, SSL Endpoint only supports one certificate per app.
Please keep this in mind for multi-domain applications and specify a
Common Domain that matches all required domains.
- https://devcenter.heroku.com/articles/ssl-endpoint#acquire-ssl-certificate
These seem to conflict. Please advise!
You'll want to get a certificate from an authority that supports the Subject Alternate Name X.509 extension.
This will let you get a domain with its Common Name set to www.mydomain.com, and an Alternate Name set to mydomain.com(as Lloeki noted, you should provide both names as alternate names).
It depends what Certificate Authority(CA) you have been choosen to purchase certificate.
Some of them provide alternate domain name including "www" like option some of them no.
As you have written above:
I am hosting my app on Heroku and their docs say:
The Common Name field must match the secure domain. You cannot
purchase a certificate for the root domain, e.g., example.com, and
expect to secure www.example.com. The inverse is also true.
Additionally, SSL Endpoint only supports one certificate per app.
Please keep this in mind for multi-domain applications and specify a
Common Domain that matches all required domains. -
https://devcenter.heroku.com/articles/ssl-endpoint#acquire-ssl-certificate
It is true - because yourdomain.com and wwww.yourdomain.com are considered as different domains (multi-domain) and your certificate has to be trusted to recognize both of them. So before generating CSR string please attentively read requirements for CSR string and features provided by a CA.