64

I bought a wildcard certificate for *.example.com. Now, I have to secure *.subdomain.example.com. Is it possible to create a sub-certificate for my wildcard-certificate?

If it is, how I can do this?

jww
  • 97,681
  • 90
  • 411
  • 885
Attrachii
  • 673
  • 1
  • 5
  • 4
  • Also see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) You will also need to place the self-signed certificate in the appropriate trust store. – jww Aug 07 '17 at 22:27

4 Answers4

113

No, it is not possible. A wildcard inside a name only reflects a single label and the wildcard can only be leftmost. Thus *.*.example.org or www.*.example.org are not possible. And *.example.org will neither match example.org nor www.subdomain.example.org, only subdomain.example.org.

But you can have multiple wildcard names inside the same certificate, that is you can have *.example.org and *.subdomain.example.org inside the same certificate.

Mike Christensen
  • 88,082
  • 50
  • 208
  • 326
Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • 1
    I think this post complement this answer about multi level wildcard: [Can You Create A Wildcard SSL Certificate For Two Levels?](https://www.instantssl.com/multi-level-wildcard) – joseluisq Oct 25 '19 at 06:44
19

It is impossible to secure multi-level subdomains with a single wildcard certificate. If wildcard certificate issued for *.mydomain.tld, so it can secure only first-level subdomains of *.mydomain.com.

To secure your second-level subdomains, you have two choices.

Purchase another wildcard certificate for *.sub1.mydomain.tld. In that case, you need to manage two individual wildcard certificates.

You can go with a multi-domain wildcard certificate, where you can add up to 100 multiple domains or subdomains.

For example,

  • *.mydomain.tld
  • *.sub1.mydomain.tld
  • *.sub2.mydomain.tld
  • *.anydomain.com

It will secure your multiple domains and multi-level subdomains and reduce your hassle from multiple certificate management.

Jason Parms
  • 346
  • 3
  • 6
6

As per 7 year old article at https://www.digicert.com/news/2010-9-1-new-wildcard-features/ :

DigiCert Wildcard Plus certificates can secure any subdomain using subject alternative names (SANs). A traditional wildcard certificate for *.example.com will only secure a first-level subdomain of example.com such as mail.example.com. DigiCert’s Wildcard Plus certificate uses SANs to secure any subdomain of example.com, including multi-level subdomains such as mail.internal.example.com. With this new feature, all subdomains can be secured with a single Wildcard Plus certificate from DigiCert. The base domain itself, example.com, is automatically included as a SAN in every Wildcard Plus certificate as well, which increases compatibility and protects example.com with or without the “www.”

moggi
  • 1,466
  • 4
  • 18
  • 29
Iliko
  • 63
  • 1
  • 4
1

No, You can't create sub-certificate for your wildcard.

-> Your wildcard Certificate is for *.mydomain.tld, so as per Wildcard SSL guideline you can secure first level sub-domains. Means anything.mydomain.tld can be secured.

-> But if you want to use it to secure *.subdomain.mydomain.tld, which is for second level sub-domains, but wildcard certificate cant secure second level sub-domains.

Solution

-> You need to buy one more wildcard SSL Certificate for your second level sub-domain *.subdomain.mydomain.tld