8

We already have a wildcard certificate for *.mycompany.com. Our network has hosts that are only reachable internally. All of them belong to the internal.mycompany.com subdomain. There is a private server with the host name server.internal.mycompany.com on which I deployed our wildcard certificate.

When I visit the web server I get a host name mismatch error. Do I really have to get another wildcard certificate for *.internal.mycompany.com or is there another (free!?) way to use our wildcard certificate for all of our subdomains and its subdomains without getting an error in the browser?

Rafael Bugajewski
  • 749
  • 7
  • 15
  • 2
    Best way to get this answer is dial up your ssl provider and ask them if there is any solution for this , this is what I would do if I have some problem with something and I have some paid account with the provider. Though as far as I know it is not possible to use wild card issued for your main doamin for sub of sub-domain, you need to create new cert. . – Pratap Sep 09 '14 at 10:46
  • 2
    You can deploy a free self signed root certificate for internal purposes. – JamesRyan Sep 09 '14 at 11:36
  • @JamesRyan: Please take a look at [my comment for the accepted answer](http://serverfault.com/questions/627219/do-i-have-to-buy-a-second-wildcard-certificate-for-a-subdomain/627224?noredirect=1#comment753174_627224) and why I don’t think that self-signed certificates are a solution. – Rafael Bugajewski Sep 09 '14 at 11:42
  • I just got a response from Comodo: “If you need to install in different server for one of your subdomain, you need to generate the CSR again from your server and contact … to replace the CSR and get your certificate re-issued. Once you get the new certificate, try to install that new certificate for internal.mycompany.com and re-issue the certificate will not affect the previous installations.” – Rafael Bugajewski Sep 09 '14 at 13:25

3 Answers3

15

#Yes, you will have to buy another certificate*#

The asterisk wildcard character * will only match 1 label in a resolved FQDN.

This behavior reflects RFC 4592 Section 3.3, in its description of DNS label matching and fallback to the asterisk label.

If you only need to secure a single endpoint under the .internal.mycompany.com. namespace, you don't need a wildcard certificate, just buy a regular single-subject certificate.

*) The CA/Browser Forum baseline requirements for the public certificate issuance does permit wildcard names in the SAN extension of a certificate, so technically, a single wildcard certificate could be valid for wildcard matching on multiple subdomains, but I have never seen this type of product advertised off-the-shelf anywhere, and I would assume it to be overtly expensive

Community
  • 1
Mathias R. Jessen
  • 24,907
  • 4
  • 62
  • 95
  • When I run my own CA I would have to make sure that all certificates are deployed on all clients as my target is to make the user-experience as hassle-free as possible. When I buy a certificate from an already trusted CA I only have to make sure to deploy everything on the servers. A couple of hundred bucks is a lot of money for internal use only for five years, though. Am I missing something? – Rafael Bugajewski Sep 09 '14 at 10:59
  • 2
    Well, in that light, a couple of hundred bucks over five years to lessen your headache is peanuts :-) – Mathias R. Jessen Sep 09 '14 at 11:02
  • 3
    If you have active directory you can push out a self signed root cert to internal users on the domain automatically then the process is transparent to users. – JamesRyan Sep 09 '14 at 11:48
  • @JamesRyan: We don’t have any Windows servers in our environment, but that’s an interesting point. In the end I bit the bullet, took out the credit card and just bought another certificate for *.internal.mycompany.com and now everything works as intended. Thanks for your help guys. – Rafael Bugajewski Sep 09 '14 at 16:05
3

According to WildCard SSL Certificate security protocols it allows only protection of first level domain which also includes your main domain such as domainname.com and domain.domainname.com. It allows unlimited sub domains security but they must be first level domains.

If you want to protect your sub domain name which formats in domain.domain.domainname.com which technical known as second level sub domain name then you must have another wildcard SSL certificate for specifically that sub domain name security.

Jake Adley
  • 137
  • 4
1

The Wildcard SSL certificate can secure only single level subdomains. If you have wildcard SSL that issued for *.mycompany.com, then it will secure mycompany.com and its all sub domains.

If your requirement is securing second level sub domains, so you should create CSR for *.internal.mycompany.com (with this condition, mycompany.com will get a domain name mismatch warning in the browsers, so you need to purchase a standard SSL certificate for mycompany.com)

It is possible that secure your entire website with a single multi domain certificate. With Multi Domain SSL certificate, you can secure multiple websites, sub domains and multi-level sub domains.

  • mycompany.com
  • mycompany.co.uk
  • internal.mycompany.com
  • *.mycomapany.com
  • server.internal.mycompany.com ..anycompany.anytld

The Multi Domain SSL certificate also known as SAN SSL certificate and counts each condition as an individual SAN name.

You should evaluate that how many sub domains are created under the mycomapny.com and *.internal.mycompany.com which will help to choose the right certificate product.

Here at already explained detail scenario - Wildcard SSL certificate for second-level subdomain

Community
  • 1
Jason Parms
  • 272
  • 2
  • 5