5

I've scoured the web for a clear and concise answer to my SSL question, but to no avail. So here goes:

I have a web-service requiring SSL support for authentication pages. The root-level domain does not have the "www" - i.e., secure://domain.com - but localized pages use "language-code.domain.com", i.e. secure://ja.domain.com

So I need at least a wildcard SSL certificate that supports secure://*.domain.com

However, we also have a public sandbox environment at sandbox.domain.com, which we also need to support under localized domains - so secure://ja.sandbox.domain.com needs to also work.

The previous admin managed to purchase a wildcard SSL certificate for .domain.com, but with a Subject Alternative Name for "domain.com". So, I'm thinking of trying to get a wildcard certificate with SANs defined as "domain.com" and ".*.domain.com".

But now I'm getting confused because there seem to be separate SAN certificates, also called UCC certificates.

Can someone clarify whether it's possible to get a wildcard certificate with additional SAN fields, and ultimately what the best way is to support:

secure://domain.com secure://.domain.com secure://.*.domain.com

with the fewest (and cheapest!) number of SSL certificates?

Thanks!

3 Answers3

6

First, SAN certificate = UCC certificates. They are both just certificates with the SubjectAltName field.

Second, a wildcard of ..domain.com won't work in most browsers. You will either need to get two wildcard certificates (one for *.sandbox.domain.com and one for *.domain.com) or get a wildcard certificate for *.domain.com and have your SSL provider put a specific SubjectAltName of ja.sandbox.domain.com. I think DigiCert and GlobalSign offer this.

Robert
  • 1,575
  • 7
  • 7
  • Thanks Robert - you're absolutely right. I ended up getting two certs - one for the sub-domain, another for the sub-sub domain. I should also note, it seems some SSL providers include the root domain in the SAN as a complement, while others do not (in which case you'd need to register another cert). GoDaddy for example includes "domain.com" in the SAN when buying wildcard cert *.domain.com, but RapidSSL does not. –  Apr 27 '10 at 05:18
  • At least since 2013, RapidSSL do include 'domain.com' in the wildcard certificates. – Arto Bendiken Feb 20 '14 at 19:03
1

According to http://ssl.com it is definitely technically possible to combine UCC and wildcard certificates. Essentially they recommend using a UCC certificate with one Subject Alt Name containing your wildcard: *.domain.com - They do note that you'll need to pay extra to have wildcards in the UCC.

To cover unlimited subdomains, just create the wildcard domains (ie *.sitename.com) in the common name field or as a SAN (Subject Alternative Name) when you purchase your UCC... You can even put other wildcards in the SAN fields such as *.sub1.sitename.com

Just create the wildcard domains (ie *.sitename.com) in the common name field and/or as a SANS (Subject Alternative Names) when you purchase a UCC (or create one). Most CAs will charge you each wildcard domain as a standard wildcard certificate.

Comodo for example notes when purchasing their UCC certificate that:

Wildcard domains can be added to a UCC for a $399.00 surcharge per domain.

Let's Encrypt

From following the http://LetsEncrypt.com discussion boards it seems that this capability may also be included when it's available later in 2015

Daniel
  • 131
  • 6
0

The main things to remember:

  • UCC/SANs can include a LOT of entries (up to 2000 for some certificate authorities)
  • UCCs from most CAs can indeed incorporate wildcards (IIRC GoDaddy doesn't allow wildcards in UCCs)
  • Wildcards added to UCCs will incur a charge, but might be cheaper than a separate wildcard cert (for instance, ssl.com charges USD $299 for a standalone wildcard but $258 for a wildcard included in a UCC)
  • Most CAs let you cut and change your UCC entries (aka "reissue" the cert) during that cert's lifetime if you need to add/remove/change domains, and there's usually no extra charge for this (again, YMMV - SSL.com/Comodo/namecheap give free reissues, GoDaddy wants you to buy a new UCC to add names)

So it depends on a lot of factors, but one UCC which includes all your domain names (including your wildcards) might be a better solution/easier to manage than a slew of different certificates.

(Also, just FYI - looks like Let's Encrypt is not set up to handle wildcards at present.)

cskemmerer
  • 1
  • 1