4

I am trying to secure a sub domain:

bitbucket.kl.company.com

The certificate is for *.company.com. So I get an error:

bitbucket.kl.company.com uses an invalid security certificate. The certificate is only valid for the following names: *.company.com, company.com, bitbucket-mirror.company.com Error code: SSL_ERROR_BAD_CERT_DOMAIN

The puzzling thing is that some browsers don't complain, and load the page as expected. Is my certificate wrong? Can I order a certificate specifically for bitbucket.kl.company.com, and not use *.company.com?

eeijlar
  • 323
  • 3
  • 7
  • Dupe https://serverfault.com/questions/104160/wildcard-ssl-certificate-for-second-level-subdomain and https://serverfault.com/questions/817255/difference-between-wild-card-ssl and several more. _All_ browsers should reject this at least once, although if the user approves an exception or override they may well work after that. – dave_thompson_085 Aug 30 '17 at 07:29

2 Answers2

8

This is a wildcard certificate and is valid only for third levels such as name.company.com and not fourth levels as the desired bitbucket.kl.company.com

You need to use another certificate for either the specific domain name or get a wildcard one for *.kl.company.com

whites11
  • 336
  • 1
  • 6
1

The certificate is for *.company.com. So I get an error:

This is expected behaviour, as @whites11 already pointed out in his answer

The puzzling thing is that some browsers don't complain, and load the page as expected.

The problem here is: The implementation of wildcard certificate handling is pretty bad and especially quite inconsistent across browser vendors and versions. Don't expect them to work consistently on all platforms.

Can I order a certificate specifically for bitbucket.kl.company.com, and not use *.company.com?

Yes you can. You just have to proof the ownership/control of bitbucket.kl.company.com to your favorite CA (e.g. Lets Encrypt) and they will issue said TLS certificate to you.

mat
  • 548
  • 6
  • 20