3

Probably a rather odd question, but something that came to mind.

Wildcard certificates are about 10 times more expensive than a single certificate. However with a single certificate, you can secure sub-domains like secure.example.com ect...

My question is, what prevents me from simply buying a normal single certificate and then putting *.example.com in the CSR ? Is that even possible ? Or, do SSL venders have checks in place to know the difference between an actual sub-domain and a wildcard/* sub-domain.

I'd try myself but I already have all the SSL certs I need.

Alien595
  • 39
  • 1
  • 2
  • Vendors have lots of checks in place that you does not get a certificate which does not belong to you. And they definitely have also checks in place to make sure that you don't just get an expensive certificate the cheap way. – Steffen Ullrich Mar 07 '16 at 16:32
  • To be more specific, they would probably check if the Common Name in the certificate contains a wildcard before signing the certificate, when technically speaking it doesn't cost them more to sign a certificate containing a wildcard. It's simply part of their business model. – Vahid Mar 07 '16 at 16:37
  • It would be worth your time to read through this Q/A. http://security.stackexchange.com/questions/20803/how-does-ssl-tls-work – Jack Bahou Mar 07 '16 at 16:43
  • These days you can get certificates for free. so it doesn't matter really, if you get them free ones from LetsEncrypt.org. – JOW Mar 07 '16 at 17:30
  • One constraint: if you want Extended Validation (EV) the CABforum rules prohibit wildcard name in EV cert. But if you care about 'expensive' you probably don't want EV. – dave_thompson_085 Mar 14 '16 at 17:28
  • I believe you can still put up to 500 domains in the SAN field of a regular DV cert... which is almost as good as a wildcard and in fact can allow for coverage of multiple domains (ex - abc.com, test.abc.com, xyz.com, mno.ca) – Dallas Jun 27 '18 at 04:02

3 Answers3

2

Wildcard certificates are not much costly as you think, I bought wildcard certificate at $42 for one year, which I think it is affordable. https://www.ssl2buy.com/wildcard-ssl-certificate

There is difference between single and wildcard certificate because a standard certificate can secure only your single website and wildcard certificate can secure unlimited numbers of sub domains.

When you order single certificate you should generate CSR for domain name like www.example.com that can secure both version of website www and non-www. If you want to secure sub-domains, you should add * asterisk before domain name like *.example.com.

As per your question, If you are buying a single certificate and generates CSR for *.example.com, certificate authority will not verify your order and doesn’t send certificate file.

Amir Habibi
  • 51
  • 4
1

If you purchase a certificate from a CA for a hostname like www.example.com (as the Common Name in the Subject field of the certificate), most CA's will also include the domain name example.com in the Subject Alternate Name field, so that the certificate will work for both www.example.com and example.com. But, that's usually the extent of it. If you want to also secure another hostname, such as mail.example.com, you'll need to purchase another certificate for this hostname, or purchase a wildcard certificate.

mti2935
  • 19,868
  • 2
  • 45
  • 64
1

Certificates are now free! And everyone should use them.

Because of "services" like Let's Encrypt (and possibly others in the future)

You can create as many certificates for single domains as you want, but also wildcards certificates where implemented march 13th 2018, according to their own upcoming features page.

Jim Wolff
  • 131
  • 4
  • I am not sure that the wildcart cert feature is really working. Multiple domain names in a single cert work. – peterh Jun 20 '18 at 14:38
  • @peterh according to [this link](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) support for it is live, but the many supporting tools that use the api might not be updated yet, that might be why. – Jim Wolff Jun 21 '18 at 10:38
  • Uhm, and I've bought a rolls royce, just I didn't transfer its price yet... ;-) – peterh Jun 21 '18 at 10:39