Can you combine multiple wildcard certs for multiple second-level domains (SLDs)

Question

We have two domains ... let's call them a-domain.com and b-domain.com ... that are prevalent across multiple servers for multiple subdomain sites. Each of these domains have wildcard SSL certs ... *.a-domain.com and *.b-domain.com ... but both use the same intermediate certificate authorities (CAs), but have different private .key files.

For simplicity sake in managing, it would be nice if we could combine the two wildcards into one set of .cert (or .pem), .key, and .chain files -- so that if there's one server that's using both (common) that it's easy to install/update.

I see that you can combine SSL certs -- but all the examples/questions have at most one wildcard cert in their description, and I'm wondering if two wildcards is possible.

Can you combine the two wildcard certs for different SLDs into one .cert and one .key?

Thanks! Neil

Answer 1

If you want to combine the files - NO, you physically can combine them but this will not make one certificate.

But if you want to issue new certificate you can combine in CN few hostnames. About wildcards better contact you CA and ask if you can add more than one wildcard domain as Common Name.

Answer 2

You yourself can't combine/merge multiple existing certificates into a single new certificate that's valid for everything.

There are some container formats that allow you to merge all your private, public and intermediate certificates into a single container, a single file, which may make management easier. For example PKCS #12 and Java KeyStore

In practice using those will probably not reduce your administrative burdens. There is no single container format that is supported universally, and many servers don't support any container format at all. And my experiences with Java keyStore's and keytool certainly didn't feel like that made my life easier...

But you can buy multi-domain wildcard TLS certificates that are valid for both *.example.com, example.com as well as example.co.uk and *.example.co.uk

There is no a priori technical restriction in the number of wildcard dNSName entries allowed in the Subject Alternate Name (SAN) extension for certificates, nor is a wildcard dNSName entry technically any different from simple DNS hostname.

Nonetheless typical certificate issuers are likely to charge you (much) more for a certificate with two or more wildcards.

Let's Encrypt supports requesting such certificates as well by the way: See this announcement

To request a wildcard certificate simply send a wildcard DNS identifier in the newOrder request. Under Let’s Encrypt’s policy, wildcard identifiers must be validated by a DNS-01 challenge, so order authorizations corresponding to wildcard identifiers will only offer a DNS-01 challenge.
DNS names in certificates may only have a single wildcard character, and it must be the entire leftmost DNS label, for instance “*.example.com”. A single certificate can have wildcard DNS names for multiple base domains, and can also mix in non-wildcard names.