You can make an SSL certificate by using *.domain.com as the name.
But unfortunately, this doesn't cover https://domain.com
Is there any fix for this?
You can make an SSL certificate by using *.domain.com as the name.
But unfortunately, this doesn't cover https://domain.com
Is there any fix for this?
I seem to recall that *.domain.com actually violates RFC anyways (I think only lynx complains though :)
Create a certificate with domain.com as the CN and *.domain.com in the subjectAltName:dNSName
names field - that works.
For openssl, add this to the extensions:
subjectAltName = DNS:*.domain.com
Unfortunately you cannot do this. The rules for handling wildcards on subdomains are similar to the rules about cookies for subdomains.
www.domain.com matches *.domain.com
secure.domain.com matches *.domain.com
domain.com does not match *.domain.com
www.domain.com does not match domain.com
To handle this you will have to obtain two certificates, one for *.domain.com
and the other for domain.com
. You will need to use two separate IP address and vhosts two handle these domains separately.
Wildcards these days will have *.domain.com and domain.com in the subject alternative name field (SAN). For instance take a look at quora.com's wildcard SSL cert
You will see
Subject Alternative Names: *.quora.com, quora.com
Probably not the answer you're looking for, but I'm 99% sure there isn't a way. Redirect http://domain.com/ to https://www.domain.com/ and just use the *.domain.com as the SSL cert. It's far from perfect, but should hopefully cover most of the cases you are interested in. The only other alternative is to use different IP addresses for domain.com and www.domain.com. Then you can use different certificates for each IP.
No because they are completely different name space. redirecting the tld is not an option either because SSL is a transport encryption it has to decode the ssl before apache for example can even see the request host to redirect it.
Also as a side note: foo.bar.domain.com is also not valid for a wildcard cert (firefox from memory is the only one that will allow that.