Are SSL certificates for constant.*.example.com allowed?

Question

We have a use case where we'd like to provide an SSL certificate for:

auth.SOME_ID.example.com

However, there will be multiple values of SOME_ID. Is an SSL wildcard certificate for auth.*.example.com permitted, or does the wildcard have to be the highest-level subdomain?

Answer 1

auth.*.example.com is not a valid name in DNS. A wildcard label must be the leftmost label, and there cannot be more than one.

Whether the various CAs and browsers care that it's an invalid DNS name is another question entirely (the DN field in an X.509 certificate is supposed to be an X.500 catalog path, so all DNS names there are bodged in sideways to begin with), and I think it has already been adequately answered.

Answer 2

You cannot do this. As a practical matter, you can only have one wildcard in a certificate DNS name, and it must be in the position furthest to the left.

Some options:

1. Make auth a reserved name in your environment, and instead design your system to use SOME_ID.auth.example.com (*.auth.example.com is a valid wildcard certificate).
2. Design your services to use a prefix, so the name is at the same level:
   auth-SOME_ID.example.com. Then a simple *.example.com wildcard certificate will cover you.
3. Build infrastructure to request new certificates as needed from a provider like LetsEncrypt.org for the specific auth.SOME_ID.example.com addresses you need.

There are others, as well. For example, you could become your own Certificate Authority... though this is almost certainly more trouble than it's worth if you want these certs publicly trusted. The main point is you'll need to look at another way to accomplish this. It'll take some thought, but it's not impossible.