0

I've been trying to understand the process how the certificates are being registered and wildcard certificates got my attention.

For some companies that offer free hosting in their site, I noticed that clients with free accounts can also have a valid SSL certificate.

For example, company of ABC Hosting with website of abchosting.com. Its website has a valid SSL certificate and also the other subdomain they provided for the new free hosted clients. So they can have as much as person1.abchosting.com company1.abchosting.com blog1.abchosting.com

But when I checked in the crt.sh, some of the subdomains were not there yet. Does wildcard certificates were being registered late than the main domains?

And if it was registered late, is there a way to monitor the SSL certificates issued in wildcard of that domain aside from crt.sh.

Thank you.

glovescoffee
  • 3
  • 1
  • I assume instead of "late" you mean "after". The order in which certificates are requested or issued have no impact on the certificates and their validity. If you want to monitor issued certificates check certificate transparency and it's certificate logging. You can see the real-time certificate log e.g. here: https://certstream.calidog.io – Robert Mar 10 '22 at 12:52
  • I am referring to those free hosted sites with free SSL certificates under the SSL certificate of the host domain. In this case, these free hosted sites were using the wildcard subdomain of the host domain. I would like to know if they are feed accurately on timely manner just like the regular domains. – glovescoffee Mar 10 '22 at 14:12
  • Sorry but I don't understand what you mean by "if they are feed accurately on timely manner". The only time that matters for certificate is the time span while the certificate is valid (not valid before, not valid after). – Robert Mar 10 '22 at 14:19
  • Okay sorry for that. :) I would like to observe the subdomain certificates attached to a domain on real time basis. For example, there's a registered domain glovescoffee.com with a wildcard certificate for subdomain *.glovescoffee.com. I would like to monitor all subdomains that will be registered or feed under that wildcard. :) – glovescoffee Mar 11 '22 at 05:08

1 Answers1

2

That's a DNS question more than a certificate question.

The *. wildcard in a Subject Alternative Name dNSName entry doesn't expand to all the subdomains that were valid when the certificate was issued, but the asterisk is burned into the certificate and the decision is made by the client library at the time it's requesting a resource.

It's entirely valid that example.org obtain a *.example.org certificate with no registered subdomains... they proved they own the rights to the example.org name. After getting that certificate they could then register demo.example.org in the DNS servers, and voila, the cert matches that. They could then remove it... and set up a completely different demo.example.org, and the cert still matches it.

I don't know if it's even possible to accurately enumerate DNS subdomains. If a domain has its own DNS server it could have non-enumeratable records and use some opaque mechanism to turn a specific request (e.g. demo.example.org) into an RR (resolvable record: IPv4, IPv6, or CNAME entry), and then that just propagates as expected.

bartonjs
  • 1,723
  • 7
  • 9