I know there are some tricks to play with wildcards to make a certificate to be valid for all the subdomains ( such as here), but my question is what is the design reason that certificates can be issued for subdomains. Why someone may need to get different certificates for subdomains? Does it have any security reason that people get different certificates for different subdomains of a domain? I appreciate if someone can give some hints on it.
Asked
Active
Viewed 218 times
2 Answers
5
There a few cases for this:
Compromised hosts, say you have a company, company.xyz, a wildcard and have a few machines on there; blog.company.xyz, www.company.xyz, mail.company.xyz, vpn.company.xyz. If someone compromises your blog, and gets a hold of the private key of that certificate, all your domains are compromised. Having individual certificates for each subdomain, would not put everything (ssl vpn, mail server) at risk when one of them is compromised.
Service Providers: some cloud providers give sub domains where one can host an application on a "free domain". Think of Azure's cloudapp.net, Google's appspot.com and Amazon's amazonaws.com. The fact that several users use the same cloud provider should not take a way the ability to secure it's connections better.
ndrix
- 3,206
- 13
- 17
2
Subdomain certificates are common when you have different security domains. For example, the domains may be managed by different teams in the company, whose personnels aren't expected to cross over. For example, the company might have their code repository managed by IT team but production environments managed by a separate Operations team.
Another common reason is that you have separate dev and production environments in subdomains, the prod subdomain may be managed with a stricter security constraints than dev. There may be company policy or legal requirements that prod be segregated from dev in some industries, which may include not reusing the same prod private keys in other systems.
Another reason is that you might have to use a CDN to deal with delivering your large static files, but do not want them to have a copy of your private key you use for the rest of the company's more sensitive data. Alternatively, you might have a subdomain actually be served by a Software-as-a-Service provider in your custom domain but don't want the SaaS provider be able to impersonate the rest of your company. You can use separate certificates for these third parties, so you can manage and revoke their certificate separately without affecting the rest of the company.
Lie Ryan
- 31,089
- 6
- 68
- 93