Can I use the same wildcard certification for *.domain.com and domain.com

Question

You can make an SSL certificate by using *.domain.com as the name.

But unfortunately, this doesn't cover https://domain.com

Is there any fix for this?

MikeyB · Accepted Answer · 2009-06-03T03:04:22.800

15

I seem to recall that *.domain.com actually violates RFC anyways (I think only lynx complains though :)

Create a certificate with domain.com as the CN and *.domain.com in the subjectAltName:dNSName names field - that works.

For openssl, add this to the extensions:

subjectAltName          = DNS:*.domain.com

edited Jun 03 '09 at 03:04

answered Jun 03 '09 at 00:58

MikeyB

39,291
10
105
189

Awww, I just tried it and it doesn't work, at least in firefox. – Unknown Jun 03 '09 at 01:10
A detail: Ensure *.domain.com is in the subjectAltName:dNSName field – MikeyB Jun 03 '09 at 02:58
@Supermathie how do I do that in the command line? – Unknown Jun 03 '09 at 03:38
You can't do it directly on the command line, but you can use -extfile and -extensions. – MikeyB Jun 03 '09 at 14:33
+1...this is how we handle our wildcard certificates. I can't commend on how to do this with openssl though. – Doug Luxem Jun 15 '09 at 03:01
Works fine for me! Thanks! – Joshua Pinter Sep 23 '19 at 03:14

Dave Cheney · Answer 2 · 2009-06-15T02:24:33.317

6

Unfortunately you cannot do this. The rules for handling wildcards on subdomains are similar to the rules about cookies for subdomains.

www.domain.com       matches    *.domain.com
secure.domain.com    matches    *.domain.com
domain.com      does not match  *.domain.com
www.domain.com  does not match  domain.com

To handle this you will have to obtain two certificates, one for *.domain.com and the other for domain.com. You will need to use two separate IP address and vhosts two handle these domains separately.

edited Jun 15 '09 at 02:24

answered Jun 14 '09 at 23:25

Dave Cheney

18,567
8
49
56

4

You can absolutely do this - its done all the time - see above answer. This is accomplished using the CN and the subject alternate name extension. http://techbrahmana.blogspot.com/2013/10/creating-wildcard-self-signed.html – John Kloian Aug 03 '15 at 22:08

score 4 · Answer 3 · answered Jan 31 '13 at 20:41

4

Wildcards these days will have *.domain.com and domain.com in the subject alternative name field (SAN). For instance take a look at quora.com's wildcard SSL cert

You will see

Subject Alternative Names: *.quora.com, quora.com

answered Jan 31 '13 at 20:41

Yogi

171
4

Just confirmed this on one of my own wildcard certs (from Comodo) - non-www worked just fine. – ceejayoz Jan 31 '13 at 21:15

score 2 · Answer 4 · answered Jun 03 '09 at 02:03

2

Probably not the answer you're looking for, but I'm 99% sure there isn't a way. Redirect http://domain.com/ to https://www.domain.com/ and just use the *.domain.com as the SSL cert. It's far from perfect, but should hopefully cover most of the cases you are interested in. The only other alternative is to use different IP addresses for domain.com and www.domain.com. Then you can use different certificates for each IP.

answered Jun 03 '09 at 02:03

Mark

2,856
20
13

You are correct. "domain.com" is a subdomian of ".com", so the wildcard that would work for it would be "*.com". This is why a cert for *.domain.com works for "www.domain.com" but not, "www.acct.domain.com". – sysadmin1138 Jun 03 '09 at 03:00

score 1 · Answer 5 · answered Jun 14 '09 at 23:28

No because they are completely different name space. redirecting the tld is not an option either because SSL is a transport encryption it has to decode the ssl before apache for example can even see the request host to redirect it.

Also as a side note: foo.bar.domain.com is also not valid for a wildcard cert (firefox from memory is the only one that will allow that.

Can I use the same wildcard certification for *.domain.com and domain.com

5 Answers5

Linked