Should a wildcard SSL certificate secure both the root domain as well as the sub-domains?

There’s some inconsistency between SSL implementations on how they match wildcards, however you’ll need the root as an alternate name for that to work with most clients.

For a *.example.com cert,

  • a.example.com should pass
  • www.example.com should pass
  • example.com should not pass
  • a.b.example.com may pass depending on implementation (but probably not).

Essentially, the standards say that the * should match 1 or more non-dot characters, but some implementations allow a dot.

The canonical answer should be in RFC 2818 (HTTP Over TLS):

Matching is performed using the matching rules specified by
[RFC2459]. If more than one identity of a given type is present in
the certificate (e.g., more than one dNSName name, a match in any one
of the set is considered acceptable.) Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment. E.g., *.a.com matches foo.a.com but
not bar.foo.a.com. f*.com matches foo.com but not bar.com.

RFC 2459 says:

  • A “*” wildcard character MAY be used as the left-most name
    component in the certificate. For example, *.example.com would
    match a.example.com, foo.example.com, etc. but would not match
    example.com.

If you need a cert to work for example.com, www.example.com and foo.example.com, you need a certificate with subjectAltNames so that you have “example.com” and “*.example.com” (or example.com and all the other names you might need to match).

Related Posts:

  1. How to convert .crt cetificate file to .pfx
  2. How do I view the details of a digital certificate .cer file?
  3. How do I convert a .cer certificate to .pem?
  4. api-ms-win-crt-runtime-l1-1-0.dll is missing when opening Microsoft Office file [closed]
  5. How to install OpenSSL in windows 10?
  6. Istio Ingress resulting in “no healthy upstream”
  7. What is a LAMP stack?
  8. What is the difference between POST and PUT in HTTP?
  9. What and where are the stack and heap?
  10. What is a reverse shell?
  11. Why am I getting error for apple-touch-icon-precomposed.png
  12. How could I ping @here in Discord.py?
  13. What’s the syntax for mod in java
  14. ‘git’ is not recognized as an internal or external command
  15. What are the rules of the std::cin object in C++?
  16. ssh remote host identification has changed
  17. How to link to part of the same document in Markdown?
  18. What is {{.}} in mustache?
  19. How to split column into two in R using separate
  20. Where do I find a list of all mat-icons — Angular
  21. TypeError : ‘method’ object is not subscriptable
  22. In C++, what is wx.h?
  23. How to UPSERT (MERGE, INSERT … ON DUPLICATE UPDATE) in PostgreSQL?
  24. What is the difference between allFile and allMarkdownRemark in gatsby
  25. DynamoDB : The provided key element does not match the schema
  26. How do I run a single test using Jest?
  27. Why I am getting java.lang.AbstractMethodError errors?
  28. Mercurial: no ~/.hgrc file
  29. How to clamp an integer to some range?
  30. What is the iOS 8 System Font?
  31. PHP &$string – What does this mean?
  32. difference between ‘-webkit-box-shadow’ & ‘box-shadow’ in css
  33. java.util.NoSuchElementException: No line found
  34. Simple prime number generator in Python
  35. Java: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  36. Update Git branches from master
  37. declaring a priority_queue in c++ with a custom comparator
  38. How to interactively (visually) resolve conflicts in SourceTree / git
  40. How to get the selected item from a ComboBox in JavaFX?
  41. Downcasting in Java
  42. SonarQube Runner vs Scanner
  43. You cannot add or change a record because a related record is required in table ‘table_name’
  44. Error in glm() in R
  45. Is there an online application that automatically draws tree structures for phrases/sentences?
  46. Create new tmux session from inside a tmux session
  47. classic ASP error ‘80020009’ Exception occurred
  48. Disable Chrome pinch zoom for use in kiosk
  49. How to ‘minify’ Javascript code
  50. How to extract Month from date in R
  51. Receiving “message”:”CB-ACCESS-KEY header is required” when attempting to connect to coinbase pro api
  52. Error haskell: not in scope. What does that mean?
  53. Python High Pass Filter
  54. How to disable text selection highlighting
  55. if-not condition fails (jQuery)
  56. RGBA code for red color
  57. java array error “array required but int found”
  58. this: Cannot use this in static context
  59. Fail to create Android virtual Device, “No system image installed for this Target”
  60. Warning: session_start(): Cannot send session cookie – headers already sent by (output started at [duplicate]
  61. In Java, what is a shallow copy?
  62. conversion to inaccessible base class is not allowed [duplicate]
  63. Get all object attributes in Python? 
  64. How to get the filename without the extension in Java?
  65. ifference between ibatis and mybatis
  66. How to install PyQt4 on Windows using pip?
  67. Example of realpath function in C
  68. Printing a 2D array in C
  69. Should 3rd Parties Use $wp_scripts/$wp_styles->add_data?
  70. Send an email that contains a HTML and plain text part
  71. Filtering the Comment Form Allowed Tags
  72. Contact Form 7: Redirecting on a condition? [closed]
  73. Deleting images in array
  74. Next Previous siblings child pages
  75. dbDelta with the character ;
  76. Is there function similar to wp_upload_bits() that will allow uploading to a specific path?
  77. Pulling Individual Posts from WP_Query
  78. How to check, if user commented before, on comment_post action?
  79. What A Pupil Learns From Writing An Argumentative Essay
  80. Displaying a remote SSL certificate details using CLI tools
  81. 100% uptime for a web application
  82. How to assign permissions to ApplicationPoolIdentity account
  83. Is it bad to redirect http to https?
  84. Using DD for disk cloning
  85. What tool do you use to monitor your servers?
  86. Sudo as different user and running screen
  87. What is the difference between Load Balancer and Reverse Proxy?
  88. Should servers be turned off at night?
  89. Where to check log of sendmail?
  90. How can I see Time-To-Live (TTL) for a DNS record?
  91. Rsync difference between –checksum and –ignore-times options
  92. Should I use tap or tun for openvpn?
  93. nmap find all alive hostnames and IPs in LAN
  94. Should CNAME Be Used For Subdomains?
  95. How do I create user accounts from the Terminal in Mac OS X 10.5?
  96. How to get a .pem file from ssh key pair?
  97. How to inspect remote SMTP server’s TLS certificate?
  98. Choosing between meaningful and meaningless hostnames [closed]
  99. logrotating files in a directories and its subdirectories
  100. Multiple TXT fields for same subdomain

Leave a Comment