If you visit the XDA developers website and see the certificate information, they list both *.XDA-developers.com and each subdomain individually in the SAN field. If they used a wildcard, why do they have to list each subdomain individually?
Asked
Active
Viewed 79 times
0
-
Most likely they had individual entries, then came back and added a wildcard and didn't remove the specific individual entries (either due to an oops, or maybe there was a Nagios/etc monitor looking for api.xda-developers.com in the SAN and they didn't want to update it) β bartonjs Nov 16 '18 at 17:40
1 Answers
0
The type of the certificate you see is called "Multi-Domain SSL Certificate".
These SSL certificates protect different domains with a single certificate, using the SAN extension. For this reason, these certificates are often referred to as SAN certificates.
SAN names are generally not required to belong to the same domain. In other words, itβs perfectly fine for a certificate to cover a list of names like the following:
example.com
www.example.com
foo.bar.hello.com
another.domain.com
So these are not sub-domains that are listed, but domains in their own right. Their common denominator is that they are all protected by this one SSL certificate.
It wouldn't surprise me if all these domains were housed in one Web server that is using this same certificate for all its serviced domains.
References :
harrymc
- 480,290
-
But they have the same base domain though. Why include mail.example.com, img.example.com and .example.com in the SAN field? The .example.com already covers the mail and img subdomains. In the the image posted in the question (thanks), shows the all the subdomains and the wildcard too. Isn't it redundant? β rsn Nov 15 '18 at 10:19
-
That someone was me. It's true that this is a bit wasteful and could be done with
*.example.com, but this is an internal decision of the site administrator. Maybe some obscure browser they need to support does not do wildcards, or maybe the administrator just overdid it "for good measure". In any case, this might not be elegant, but it works for them. Their website needs to work on many devices and many browsers, and works well, so we can't fault their work without full knowledge of the circumstances. β harrymc Nov 15 '18 at 10:30