0

I discovered recently that my *.domain.com cannot be used on server1.apps.domain.com because it will only "wild" the one level, not two.

The questions are thus twofold:

  1. Is there such a thing as a *.*.domain.com certificate?
  2. Would such a certificate work on both server1.apps.domain.com and www.domain.com? (e.g. two different levels of depth)
Jonesome Reinstate Monica
  • 5,347
  • 9
  • 54
  • 80
  • 1
    Possible duplicate of [Do I have to buy a second wildcard certificate for a subdomain?](https://serverfault.com/questions/627219/), [Wildcard SSL certificate and subdomain levels](https://serverfault.com/questions/257404/), [Double Wildcard SSL Certificates](https://serverfault.com/questions/131431/), [Wildcard SSL certificate for second-level subdomain](https://serverfault.com/questions/104160/) and probably more. – Steffen Ullrich Oct 01 '18 at 03:15

2 Answers2

3

You can have multiple Subject Alternative Names in a single certificate, every with different level wildcard:

*.domain.com

*.app.domain.com

*.xxx.domain.com

etc.

Vadim
  • 436
  • 3
  • 8
  • Yes but it's not a "real" wildcard certificate then, the certificate needs to be reissued whenever you want to add a new subdomain name, e.g. when you have a wildcard for *.example.com with Subject Alternative Name *.apps.example.com you have to reissue if you want to add e.g. *.api.example.com – Broco Sep 30 '18 at 22:13
  • Yes. But afaik there is no better way. – Vadim Sep 30 '18 at 22:15
  • True that. If OP just wants a fixed level of sub-subdomains, this is the right answer. – Broco Sep 30 '18 at 22:18
  • 1
    Stack Exchange does certs this way, because the RFC says this is how it should work. The blog post on the transition may be entertaining: https://nickcraver.com/blog/2017/05/22/https-on-stack-overflow/#certificates – John Mahowald Oct 01 '18 at 01:18
2

Answer is simple: No there isn't.

According to the RFC only one wildcard is supported:

Matching is performed using the matching rules specified by
[RFC2459]. If more than one identity of a given type is present in
the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment. E.g., .a.com matches foo.a.com but
not bar.foo.a.com. f.com matches foo.com but not bar.com.

However what you can do is to get a wildcard certificate for *.apps.domain.com which will cover every sub domain of apps.domain.com and another one for *.domain.com to cover the first level subdomains.

Taken from: https://www.instantssl.com/articles/can-you-create-a-wildcard-ssl-certificate-for-two-levels.php:

The reasons it is not possible to have a "double wildcard" SSL certificate is that the placeholder, the asterisk, can only stand in for one field in the name submitted to the CA. After all, the CA has to verify all information, and too many variables in the certificate would decrease the security and confidence the certificate provides.

Additionally, and this is important for IT managers and website owners as well, the internal security cannot be compromised as easily. Keep in mind that any type of security issue once an SSL certificate is in place is much more likely to occur from an internal security breach where someone with access to the private key and certificate is able to set up a subdomain website that is actually covered by the SSL.

Broco
  • 1,919
  • 12
  • 21