Why no SSL certificate with multiple subdomains

Question

I know that you can't use a SSL wildcard certificate for multiple subdomains. e.g. If I have a certificate for *.example.com I can use it for domains like test.example.com but not for test.test.example.com.

Why is that? I don't see a security reason why this was done.

If I'm the verified owner of example.com, why should connections to x.x.example.com be insecure?

So you are asking where this rules are defined (RFC 2818 among others) or why there are defined this way? — Steffen Ullrich, Dec 13 '16 at 14:45
In this case there is already a question which covers this -> duplicate. — Steffen Ullrich, Dec 13 '16 at 14:48

score -1 · Answer 1 · edited Mar 08 '18 at 03:50

-1

Certificates for *.example.com are only valid for one subdomain level.

If you want a certificate valid for x.x.example.com you need a certificate with x.x.example.com or *.x.example.com , it's how it works.

edited Mar 08 '18 at 03:50

Patrick Mevzek

1,748
2
10
23

answered Dec 13 '16 at 14:39

Tom

2,063
12
19

3

Yes I know how it works. But I wanted to know why it is this way. As far as I know there is no security benefit from not allowing it. – Lars Dec 13 '16 at 14:44
2

@Lars: there's a minor benefit that it simplifies implementation. However, I think the main reason why the standard doesn't allow arbitrary depth certificate has more to do with the commercial incentive of the certificate authorities. The CA are also the one that writes the certificate standard, and for them, the current limitation means they can charge more money for sub-sub-domains and there hasn't been a strong enough push to extend the standard in this manner from the non-CA authors of the standard. – Lie Ryan Dec 13 '16 at 17:01

Why no SSL certificate with multiple subdomains

1 Answers1