Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
We have a wildcard SSL certificate for *.domain.example, and have a website with sub1.sub2.domain.example.
Safari 4.0.4 on macOS pops up a certificate error(presumably because of wildcard interpretation), while Safari 4 on Windows does not.
Also IE8 behavior is mixed at best, some IE8 display the certificate error and some do not.
What causes this strange behavior on Safari and IE?
A wildcard SSL certificate for *.example.net will match sub.example.net but not sub.sub.example.net.
From RFC 2818:
Matching is performed using the matching rules specified by
RFC2459. If more than one identity of a given type is present in
the certificate (e.g., more than one dNSName name, a match in any one
of the set is considered acceptable.) Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment. E.g., *.a.example matches foo.a.example but
not bar.foo.a.example. f*.example matches foo.example but not bar.example.
If you need a wildcard certificate that contains *.domain.example sites and also work with sub1.sub2.domain.example or another domain like *.domain2.example, you can solve that with a single wildcard certificate with what is called a subject alternative name (SAN) extension for each of the other sub sub domains. A SAN cert is not just for multiple specific host names, it can be created for wildcards entries as well.
For example, *.domain.example, sub1.sub2.domain.example, and *.domain2.example would have a Common Name of *.domain.example then you would attach a subject alternative name of both *.domain2.example and *.sub2.domain.example. It might depend on the Certificate Authority as to how they would charge you (or not) for the certificate, but there are some out there where this offering is available. Also, SAN is support is pretty widespread in the web browser space. The best real world example of this use, it Google's SSL cert. Go open Google and view its SSL certificate, you will see it works for *.google.com, *.youtube.com, *.gmail.com, and a bunch more where they are listed as subject alternative names.
The wildcard is only applied to the first part (from the left) of you domain. So you'll need a certificate for *.sub2.domain.example
If you meant that you have sub1.domain.example and sub2.domain.example, then it should work.
Related
I'm currently trying to build an OpenBanking application, but I'm having a hard time differentiating between the certificates.
I've generated an OBWAC and OBSEAL certificate, however I can't understand what is the difference between those and a QWAC and QSEAL? Are the latter ones issues by a trusted third-party provider or can I generate them too? Do they have some different fields?
In short, the main difference is that OBWAC and OBSealC can only be used for accessing Open Banking APIs of the ASPSPs based in the UK, while QWAC and QSealC can also be used for accessing PSD2 APIs of EU-based ASPSPs (in case the TPP's license allows that). Also in general qualified certificates fall under eIDAS regulation and have application outside open banking (especially QSealC). And yes, qualified certificates can only be issued by Qualified Trust Service Providers (aka QTSP). The list of QTSPs can be found here: https://esignature.ec.europa.eu/efda/tl-browser/#/screen/home (not sure if the UK list is still updated).
Assume I own example.com and I purchasd a wildcard SSL cert that works for *.example.com. Management now wants to create "companion" sites to alreasy existing sites. So if I have foo.example.com and bar.example.com they might also want me to create meow.foo.example.com and woof.bar.example.com.
The existing wildcard cert works for the sub-domain sites, as we've been doing all along. I just learned it does NOT work for sub-sub-domain sites. Is it possible to create a wildcard cert for *.*.example.com?
Would sub-sub-sub-domain's require an additional wildcard cert? So if you want to protect X levels, do you need X certs?
Disclaimer: I spent a while researching this, but are a lot of seemingly conflicting questiona/answers on SO, so I feel bad about asking this again, but I don't want to go through the hassle of purchasing to find out later that I made a mistake.
While there may be some implementations which allow multiple wildcards, effectively the answer is no, multiple wildcards are not allowed.
RFC 6125 (section 6.4.3) tries clarifying the common de facto rules, and distilled down to the core MUSTs the rules are effectively:
If the first character is not * perform a literal match. (non-wildcard).
If the second character is not . then match nothing (invalid wildcard)
Find the first . in the match candidate, and literal-match starting with the second character in the dNSName value.
So *.*.example.com would not match a.b.example.com because .*.example.com != .b.example.com.
Of course, some clients may have implemented their matching logic differently. But counting on anything more lax than this interpretation will result in some clients saying it isn't a match when you were hoping it would.
(Okay RFC 6125 section 6.4.3 doesn't have any actual MUSTs; but if you respect the SHOULD NOTs and don't follow the MAY, but do support wildcard matching, you end up with the above.)
See https://security.stackexchange.com/a/10540/68042
you just need separate certificate for each level of subdomain, with names:
example.com
*.example.com
..example.com
..*.example.com
In theory, single certificate with all those entries in Subject Alt Name extension would do, but it may not work for some cases. Separate certificates are safer.
To use single certificate (for *.example.com) you may use names meow-foo.example.com instead of meow.foo.example.com
You can go for Multi-domain wildcard SSL Certificate it will secure your sub-sub- domain.It can secure below wildcards
- *.mydomain.tld
- *.sub1.mydomain.tld
- *.sub2.mydomain.tld
- *.anydomain.com
I would like to know how many different SubjectAlternativeNames a certificate may have and where this specification is published.
Why? Because FireFox only recognises the first five entries in the SubjectAlternativeName and we have a certificate that picks up a number of common misspellings of one of our websites, all of which have DNS entries pointing to the correct domain.
We do not wish to wildcard this certificate.
Are you sure that
FireFox only recognises the first five entries in the SubjectAlternativeName
because if you go to this page, it has many entries in SubjectAlternativeName and it works fine. Firefox does not complain even if the URL is not in the first five entries and when you click certificate details, it displays all of the entries correctly. I should mention that I'm using version 50.1.0 (but I have tested in version 49.0.2).
Another example of a certificate with six entries can be found here (because previous one has wildcard entries first).
You are correct. Apparently I had previously accepted a permanent exception to the site I was visiting and that certificate, used for testing, only had five SubAtlNames. I cleared the exception and the proper certificate now lists all of the expected alternative names.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
I want to create a web site builder. What I'm thinking is to have a one server as the main web server
my concept is as follows
1 - user enters url (http://www.userdomain.com)
2- it masks and redirect to one of my custom domain (http://www.myapp.userdomain.com)
3 - from the custom domain (myapp.userdomain) my application will identify the web site
3 - according to the website, it will render pages
my concerns are,
1 - is this the proper way of doing something like this (online web site builder)
2- since I'm masking the url i will not be able to do something like
'http://www.myapp.userdomain.com/products'
and if the user refresh the page it goes to home page (http://www.myapp.userdomain.com). how to avoid that
3- I'm thinking of using Rails, liquid for this. Will that be a good option
thanks in advance
cheers
sameera
Masking domains with redirects is going to get messy plus all those redirects may not play nice for SEO. Rails doesn't care if you host everything under a common domain name. It's just as easy to detect the requested domain name as it is the requested subdomain.
I suggest pointing all of your end-user domains directly to the IP of your main server so that redirects are not required. Use the the :domain and :subdomain conditions in the Rails router or parse them in your application controller to determine which site to actually render based on the hostname the user requested. This gives you added flexibility later as you could tell Apache or Nginx which domains to listen for and setup different instances of your application as to support rolling upgrades and things like that.
Sounds like this was #wukerplank's approach and I agree. Custom router to look at the domain name of the current request keeps the rest of your application simple.
There will you get some more help by getting site details of existing online site builder you can look upon [wix][1] , [weebly][2] , ecositebuilder and word press and many
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Hi, Is there any API to lookup if a given domain name is already registerd by somebody and get alternative (auto suggested available domain names)?
EDIT:- I think the thing I need is called domain-search not the lookup :)
I've written a whois for PHP, Perl, VB and C# all using a trick that queries '{domain}.whois-servers.net'.
It works well for all but the obscure domains that require registration (and usually fees) such as tonga .tv or .pro domains.
PHP Whois (version 3.x but should still work)
C# Whois
COM Whois (DLL only, I lost the source)
This page shows it in action. You can do some simple string matching to check if a domain is registered or not based on the result you get back.
It's called whois... and for auto-suggestion, there is the domain service at 1&1.
http://www.mashape.com/apis/Name+Toolkit#Get-domain-suggestions - Advanced domain name suggestions and domain checking API.
I think you can use http://whois.domaintools.com/ to get the information. Send a web request as http://whois.domaintools.com/example.com and it will return the information of example.com. But you need to parse the response to filter the required information.
http://whois.bw.org/ is very good. does suggestions and such.
I want an api that I can call from my code or pages. The XML API on www.domaintools.com seems like the thing that I need. I'm looking into it.
thanks for your support. I've found a service by domaintools.com called whoisapi. You can query available domain names and other information by sending an xml request to their servers.