Wildcard SSL certificate for second-level subdomain

Question

I'd like to know if any certificates support a double wildcard like *.*.example.com? I've just been on the phone with my current SSL provider (register.com) and the girl there said they don't offer anything like that and that she didn't think it was possible anyway.

Can anyone tell me if this is possible, and if browsers support this?

FYI for future visitors, no browser supports a double wildcard certificate ala *.*.example.com as of 2015. No idea why. — Mahn, Aug 10 '15 at 21:03
@Mahn Then do you have to write *.a.a.com,*.b.a.com,*.c.a.com, ... manually? — William, Sep 02 '15 at 16:14
@LiamWilliam apparently, I haven't found other combinations that browsers like up until now. It's a pain. — Mahn, Sep 02 '15 at 19:13
@William yes, but on the other hand, don't use the . to seperate things in your domain name which belong together - domains are domain concerns. Why would you need phpmyadmin.serverX.domain.com, when phpmyadmin-serverX.domain.com is semantically more accurate and easier to handle in DNS and TLS terms. — Daniel W., Dec 20 '18 at 14:29

score 70 · Answer 1 · edited Oct 22 '20 at 12:43

70

RFC2818 states:

If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.

Internet Explorer behaves in the way outlined by the RFC, where each level needs its own wildcarded certificate. Firefox is happy with a single *.domain.com where * matches anything in front of domain.com, including other.levels.domain.com, but will also handle the *.*.domain.com types as well.

So, to answer your question: it is possible, and supported by browsers.

edited Oct 22 '20 at 12:43

yagmoth555

17,059

answered Jan 19 '10 at 15:36

Alex

6,623

6

Thank you! Testing on FF 3.5.7 this morning showed that it is now RFC compliant in the same way as IE. It rejected my *.example.com cert for foo.bar.example.com.
So just to clarify all I need is another wildcard cert that has ..example.com as the Common Name?
– Jan 19 '10 at 17:04
correct, based on that you would need a *.*.example.com – Alex Jan 19 '10 at 18:41
7

I just tested in FF 3.5 and IE 8 and neither would accept a certificate for ..example.com. I think the only solution is to use multiple wildcard certificates. – Robert Jan 21 '10 at 01:16
13

Who wrote this standard? This is worthless. Also a waste of money if you ask me. What does it protect? – Brent Pabst Apr 02 '12 at 23:15
6

If double-wildcards cause problems, do specific subdomains around wildcards work? ala SubjectAltName: DNS:foo.*.example.com, DNS:bar.*.example.com – rcoup May 01 '12 at 21:19
2

-1 for making a claim about Firefox's behaviour that flat-out contradicts what all other answers and comments on this page say, without providing any evidence nor any simple mechanism to test the claim. – Mark Amery Aug 16 '17 at 09:46
1

Lol. @MarkAmery, I think that's a little bit of an overreaction considering the answer is 7 years older than your comment. And, the answer starts out by pointing out the RFC is unclear. It's really easy to test. (1) Create a cert with the wildcard domain (2) put it into a web server (3) Test on your own browser. – tudor -Reinstate Monica- May 14 '18 at 23:49
11

@tudor FWIW, I just tested, and Firefox shows me a Your connection is not secure page when accessing sub1.sub2.mydomain.com with an *.mydomain.com certificate, despite considering the cert valid for sub2.mydomain.com. So, as best I can tell, this answer is indeed wrong, at least today. Considering that there was also a comment posted from someone saying that they couldn't reproduce the behaviour on the day that the answer was posted, I'm skeptical about whether it was ever correct. – Mark Amery May 16 '18 at 10:33

score 62 · Answer 2 · edited Oct 07 '21 at 07:34

All answers here are outdated or not fully correct, not considering the RFC 6125 from 2011.

According to the RFC 6125, only a single wildcard is allowed in the most left fragment.

Valid:

*.sub.domain.tld
*.domain.tld

Invalid:

sub.*.domain.tld
*.*.domain.tld
domain.*
*.tld
sub.*.*

A fragment, or also called "label", is a closed component, e.g.: *.com (2 labels) does not match label.label.com (3 labels) - this has already been defined in RFC 2818.

Before 2011 in RFC 2818 the setting was not fully clear:

Specifications for existing application technologies are not clear or consistent about the allowable location of the wildcard character.

This has changed with RFC 6125 from 2011 (6.4.3):

The client SHOULD NOT attempt to match a presented identifier in which the wildcard character comprises a label other than the left-most label (e.g., do not match bar.*.example.net).

Thank you for the Examples, Citing your Sources, and including Relevant Excerpts from them. This was very helpful. I came here wondering if sub.*.domain.tld was invalid; and now I have my answer. — MikeTeeVee, Jun 16 '23 at 17:15

score 24 · Answer 3 · answered Jan 08 '15 at 12:19

When Wildcard SSL certificate is issued for *.domain.com, you can secure your unlimited number of sub domains over the main domain.

For example:

sub1.domain.com
sub2.domain.com
sub3.domain.com
sub*.domain.com

If the Wildcard SSL certificate is issued on *.sub1.domain.com, in that case you can secure all second level subdomains which are listed under the sub1.domain.com

For example:

aaa.sub1.domain.com
bbb.sub1.domain.com
ccc.sub1.domain.com
***.sub1.domain.com

If you want to secure limited number of sub domains and second level domains, then you can choose multi domain SSL that can secure up to 100 domain names with a single certificate.

For example:

domain.com
sub1.domain.com
aaa.sub2.domain.com
domain2.net
domain3.org

You should know your actual requirements to choose an SSL certificate.

This is a good comprehension but does not answer the question. You mentioned all combinations but not the one the OP asked for (..domain.com). — Daniel W., Aug 08 '18 at 08:58

score 23 · Answer 4 · answered Jan 27 '10 at 16:36

23

Just to confirm FF and IE 8 will NOT accept certificates in the form *.*.example.com although it is technically possible to create them.

answered Jan 27 '10 at 16:36

3

Then do you have to write *.a.a.com,*.b.a.com,*.c.a.com manually? – William Sep 02 '15 at 16:02
3

@William I think so. This is really unfortunate. – Franklin Yu Aug 17 '18 at 19:01

score 8 · Answer 5 · answered Jan 06 '13 at 23:54

8

I was just doing some research on this as I have the same requirements to secure sub subdomains as well and came across a solution from DigiCert.

This certificates says it will support yourdomain.com, *.yourdomain.com, *.*.yourdomain.com and so on.

It is currently rather pricy, but the hope is that other providers would start offering similar certificates and reduce prices.

answered Jan 06 '13 at 23:54

F21

716

this is the right approach. a wildcard cert having multiple (wildcard) names supported – drAlberT May 28 '15 at 10:23
We have this certificate from digicert. It supports it, but not by default. You have to create a duplicate cert and specify all the subdomains in the cert. Its not automatic. – L_7337 Jun 03 '16 at 19:50

score 8 · Answer 6 · answered Sep 17 '13 at 16:19

This could be worth a new round of tests with current browser versions.

My personal quick check results in: Firefox 20.0.1 seems to still not support this. It shows:

This certificate is only valid for *.*.mydomain.com

...when surfing to https://svn.project.mydomain.com.

Internet Explorer 9.0:

The certificate of this website was made for another address

Notes:

Both statements translated from German to English, by me. Probably I did not use the same phrases as the English browser versions would show.
I used a self-signed certificate. Which caused the browsers to show an additional sentence of warning. I assume that the quotes above would also be shown with a trusted certificate issuer. Verifying this was out of the scope of my "quick check".

Hassan Faghihi · Answer 7 · 2019-10-14T21:54:38.630

although i'm not looking into your question, i just happened to read something about it minutes ago:

https://www.instantssl.com/articles/can-you-create-a-wildcard-ssl-certificate-for-two-levels.php

this explain that you cannot use double asterisk

Edit

Add part of the quote in case the website goes down or it's too long to read

What is not possible is to try to cover both the subdomains of mail.xyz.com and photos.xyz.com with a single Wildcard. The CA or Certificate Authority can only provide an SSL certificate with a single (*). You could not generate a Certificate Signing Request that looked like ..xyz.com to try to cover more than one second level subdomain group.

The Reason Why

The reasons it is not possible to have a "double wildcard" SSL certificate is that the placeholder, the asterisk, can only stand in for one field in the name submitted to the CA. After all, the CA has to verify all information, and too many variables in the certificate would decrease the security and confidence the certificate provides.

Additionally, and this is important for IT managers and website owners as well, the internal security cannot be compromised as easily. Keep in mind that any type of security issue once an SSL certificate is in place is much more likely to occur from an internal security breach where someone with access to the private key and certificate is able to set up a subdomain website that is actually covered by the SSL.

I must note that answering guidelines require you to quote essential parts of an article in your answer body. Because this link may change over time or the article may get deleted. Otherwise it may not be considered an answer. — sr9yar, Oct 14 '19 at 20:15

score 0 · Answer 8 · answered Feb 12 '13 at 17:25

0

What you can do is something like *.domain.com and then *.www.domain.com or *.mail.domain.com. I've never seen *.*.domain.com on a production site.

You can get a wildcard (*.domain.com) but you will also need *.www.domain.com as a alternative subject name entry to get this to work. The only companies that I know offer this are ssl.com and digicert. There may be others but I'm not sure.

answered Feb 12 '13 at 17:25

Colt Blake

81

1

with letsencrypt you can issue wildcards certs as well. And they allow for multiple SAN. So you can define a set of SAN. E.g. -d *.domain.com -d *.sub1.domain.com -d *.sub2.domain.com. – fragmentedreality Jun 27 '19 at 05:31

Wildcard SSL certificate for second-level subdomain

8 Answers8

Edit

Linked

Related