Wildcard certificate with prefix

Question

I am wondering if it's possible to create a wildcard certificate with a prefix.

I know that *.example.com will cover anything at the first level (eg. one.example.com, two.example.com, three-four.example.com, etc), but will not cover another.one.example.com because that's 2 levels.

I need to have a wildcard certificate that recognizes a prefix; so it would be www.*.example.com.

That means, www.one.example.com, www.two.example.com, www.three.example.com, etc would all work correctly.

Is this possible, and is there a certificate provider that can do this?

Use a UCC certificate which protects _x_ hostnames. The bad part is that the list of hostnames is hardcoded in the certificate. — Salman A, May 15 '15 at 12:27

score 10 · Answer 1 · edited Oct 07 '21 at 07:34

I need to have a wildcard certificate that recognizes a prefix; so it would be www.*.example.com. That means, www.one.example.com, www.two.example.com, www.three.example.com, etc would all work correctly.

Is this possible, and is there a certificate provider that can do this?

No. According to the rules of the CA browser forum, RFC2818 and RFC6125 only one wildcard is allowed and only in the leftmost label. Which means there is no www.*.example.com and no *.*.example.com either. You need instead to add all the domains you need in the subject alternative name part of the certificate, but you could have multiple entries and and you can use wildcards, i.e. *.sub1.example.com, *.sub2.example.com etc.

Such certificates with multiple wildcard names are common (look at the certificate for Facebook) which means there are certificate providers which offer these certificates. But they will cost more than others.

score 3 · Answer 2 · answered May 15 '15 at 06:57

Create a .cnf-file like the following, which you use with openssl req -new -out example.com.csr -key example.com.key -config example.com.cnf. You can create the keyfile using

openssl genrsa -out example.com.key 4096

The example.com.cnf file:

[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name

[req_distinguished_name]
commonName = example.com

[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.2 = *.example.com

score 2 · Answer 3 · answered May 15 '15 at 06:53

2

Maybe do you need to use SubjectAltName.

Take a look at: http://wiki.cacert.org/FAQ/subjectAltName

answered May 15 '15 at 06:53

mvillar

428
6
19

Wildcard certificate with prefix

3 Answers3

Linked

Related