39

Is it possible to secure multiple domains with a single certificate using wildcard domains and a SAN?

For example, one SAN certificate that secures both *.domain1.com and *.domain2.com?

Everything I have read so far seems to indicate that you can have either a wildcard certificate (*.domain1.com) OR a SAN certificate (host1.domain1.com, host2.domain2.com), but not a combination. Is this correct?

sepehr
  • 17,110
  • 7
  • 81
  • 119
ibrewster
  • 3,482
  • 5
  • 42
  • 54
  • it's possible to get wildcard certs issued, and some certs can cover multiple hosts. multi-domain wildcards would be a major security nightmare... – Marc B Jan 31 '14 at 20:33
  • @MarcB Which would be a very reasonable explanation of why it might not be possible to do that :-) – ibrewster Jan 31 '14 at 20:49
  • 3
    It is not possbible to have names with multiple wildcards in it, but according to RFC2818 it should be possible to have both *.domain1.com and *.domain2.com together inside the certificates SAN part. And I don't see this as a security nightmare. – Steffen Ullrich Feb 01 '14 at 09:45
  • Do we know if wildcard subdomains in SAN is valid as well (i.e. `*.sub.domain.com`)? – Matt Borja May 05 '16 at 16:45
  • 3
    This should be reopened. This should be an exception or change the rules. This is grey area. – Elijah Lynn Oct 23 '20 at 23:39

4 Answers4

36

Yes, it's certainly technically possible. For instance, the cetrtificate for Microsoft Outlook Web Access (https://outlook.office365.com) was issued to outlook.com, and has a combination of wildcarded and non-wildcarded names in the SAN section:

DNS Name=outlook.com
DNS Name=*.outlook.com
DNS Name=office365.com
DNS Name=*.office365.com
DNS Name=*.live.com
DNS Name=*.internal.outlook.com
DNS Name=*.outlook.office365.com
DNS Name=outlook.office.com
DNS Name=attachment.outlook.office.net
DNS Name=attachment.outlook.officeppe.net

Of course, as pointed out above, this cert was issued by Microsoft themselves, so they can pretty much do what they want.

roryhewitt
  • 4,097
  • 3
  • 27
  • 33
  • 5
    you can view these like `true | openssl s_client -connect outlook.office365.com:443 | openssl x509 -noout -text | grep -B1 DNS:` (adapted from http://stackoverflow.com/a/13128918/1695680) – ThorSummoner Aug 25 '16 at 22:21
  • 2
    For anyone looking for powershell command to accomplish this, it looks like this: `New-SelfSignedCertificate -Subject *.my.domain -DnsName my.domain, *.my.domain -CertStoreLocation Cert:\LocalMachine\My -NotAfter (Get-Date).AddYears(10)` – Vinney Kelly Jul 05 '17 at 20:41
  • Thanks for wonderful example. I was trying to find the same – Jay Rajput Dec 30 '19 at 10:29
27

I assume you use want to use the certificate for HTTP. In this case you need to look at RFC 2818. This RFC clearly defines that common name should only be used if no subject alternative names are configured, but it allows wildcards certificates in the SAN extension. So it should be possible to combine several non-wildcard and wildcard certificates inside the SAN part of the certificate.

It looks like various CAs have different policies about creating certificates mixing wildcard and non-wildcard: While Thawte argues that mixing is not possible (https://community.thawte.com/blog-posts/difference-between-wildcard-ssl-vs-san-certificate) DigiCert propagates it as the best of both worlds (http://www.digicert.com/ssl-support/wildcard-san-names.htm). So it seems to be more a limitation of the CAs and not of the browsers and definitely not of the standard.

Community
  • 1
  • 1
Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • Yes, it's possible - I use one myself. Most CA's have policies that maximize their profit, so you're starting to talk big money if you look at the few who allow you to do that. The one exception is StartCOM who have unlimited free wildcard SAN's after you pay their verification surcharge (which only lasts a short time) – cnd Jan 01 '15 at 06:23
  • 3
    It's completely possible. We're using one right now. You can look at it using OpenSSL `openssl s_client -connect api.smartystreets.com:443`. Search Google for "Comodo Positive Multi-Domain Wildcard SSL". – Jonathan Oliver Aug 04 '16 at 05:24
  • 2
    For anyone else seeing this answer, it may be worth noting that DigiCert's offering is *not* multi-wildcard - they offer a single certificate that is e.g. *.subdomain1.example.org and test.subdomain2.example.org, but they do not offer *.subdomain1.example.org and *.subdomain2.example.org on a single certificate – Andrew Stevens Apr 29 '21 at 18:49
  • I looked at the digicert link, but they are only supporting SANS and calling it a wildcard? – Jens Timmerman Jan 19 '22 at 10:55
  • 1
    @JensTimmerman: Note that this answer is nearly 7 years old. CA's might have changed their offerings in the meantime. – Steffen Ullrich Jan 19 '22 at 11:32
2

Generally, a domain name or URL requires just one certificate to be secure. But what if you need to secure multiple domains? How can you manage their security without sacrificing budget and time?

Securing Multiple Domains

Securing multiple domains can be achieved with 2 approaches, Wildcard certificates and Unified Communications Certificates (UCC), also known as SAN (Subject Alternative Name). SAN lets you specify additional host names (sites, IP addresses, common names, etc.) to be protected by a single SSL Certificate, while a Wildcard certificate can support a single domain and an unlimited number of first-level subdomains. SAN/UCC can also be combined as an extension with a Wildcard to add functionality to the certificate. You can combine these two certificates as a Multi-domain Wildcard SSL Certificate depending on your needs. This makes managing the security of multiple websites much easier and cheaper than managing a separate SSL certificate for every domain you own.

Read More:Securing Multiple Domains with SAN/UCC Certificates

slm
  • 15,396
  • 12
  • 109
  • 124
alexios alexiou
  • 59
  • 1
0

I just wanted to provide you a overview about both wildcard and SAN certs.

Wildcard:

A wildcard certificate allows for unlimited subdomains to be protected with a single certificate.

For example, you could use a wildcard certificate for the domain name abc.com and that cert would also work for mail.abc.com, ftp.abc.com and any other subdomain. The wildcard refers to the fact that the cert is provisioned for *.abc.com.

It does not allow extended validations.

SAN:

A SAN cert allows for multiple domain names to be protected with a single certificate.

For example, you could get a certificate for abc.com, and then add more SAN values to have the same certificate protect abc.org, abc.net and even abc.xyz

It allows extended validations.

Syed Adeel Ali Rizvi
  • 89
  • 3