Multiple wildcard names in a certificate

Question

I would like to have a single webserver with a single certificate that hosts the following domains:

onenameofthecompany.com
othernameofthecompany.com
www.onenameofthecompany.com
www.othernameofthecompany.com
bla.onenameofthecompany.com
bla.othernameofthecompany.com
...

In theory, I could create a certificate with the following characteristics:

Subject contains (*.)onenameofthecompany.com
SubjectAlternateName contains:
- onenameofthecompany.com
- othernameofthecompany.com
- *.onenameofthecompany.com
- *.othernameofthecompany.com

I tested this setup with and it seems to be working in a recent version of Firefox and IE8.

Questions:

Should I expect client compatibility problems with this setup? Any known issues with e.g. IE6 or other older browsers?
Should I put *.onenameofthecompany.com or simply onenameofthecompany.com to the Subject field in the certificate? (I know that in theory, when SubjectAlternateNames are present in a certificate, the browser should ignore the subject, in practice, I wish I knew what happens)
Are there any widely-trusted CAs who could create such a certificate for me?

is there some reason you cant have a name such as: www.other.nameofthecompany.com and www.nameofthecompany.com ? your question doesnt reflect these possibilities. — djangofan, Nov 22 '10 at 01:59
Well, the certificate should cover 250+ domain names with that * character. I think that explains it. — Zizzencs, Nov 22 '10 at 18:34
Did you ever get a definitive answer? The question marked as "Answer" below doesn't seem to indicate an actual answer about whether the multiple wildcards can be in the SAN field. — jslatts, Jan 29 '13 at 19:05

score 5 · Accepted Answer · answered Nov 16 '10 at 13:28

5

I believe what you need is a SAN SSL Certificate (Subject alternative name), for instance, verisign has it http://www.verisign.com/ssl/buy-ssl-certificates/specialized-ssl-certificates/san-ssl-certificates/

Also i heard about http://www.cacert.org/ this a community that issues free certificates to you but i have no experience with it. But might worth a shot.

HTH!

answered Nov 16 '10 at 13:28

byte_slave

356
1
4

2

Unfortunately, CAcert in my experience isn't a viable option. Almost nobody uses them, as they don't have widespread inclusion in browsers. I and my group of Linux users here went through the process of becoming signers right when they first came out, but I honestly haven't had anyone asking about them in years. It's a great idea, but just doesn't have traction behind it, IMHO. – Sean Reifschneider Nov 16 '10 at 13:46
Yes, I would need a SAN certificate, where in the SAN field I have wildcard domains listed. – Zizzencs Nov 16 '10 at 14:22
CACert: As of today, I get a certificate warning when visiting a secure page on their own site cacert.org. Firefox says they cant be trusted. – Slava May 08 '15 at 14:22

Chris S · Answer 2 · 2014-05-02T14:55:46.363

4

It has always been possible to include multiple wildcards in a SN/SAN, but the majority of browsers added support for them in the last few years (around the time this question was originally asked). Now, you should have little trouble finding a Certificate Authority that will issue such a certificate, and most clients should accept it.

edited May 02 '14 at 14:55

answered Nov 16 '10 at 13:22

Chris S

77,945
11
124
216

score 2 · Answer 3 · answered Nov 22 '10 at 13:36

I would suggest to check GeoTrust True Business ID with Multi Domain which would work perfect for you. Though, it does not provide you to add wild card in SAN Certificate you can add up to 25 domains and they all are protected by single SSL Certificate.

You can check it at following URL:

https://www.thesslstore.com/geotrust/true-businessid-multi-domain.aspx

Gaurav Maniar MCP | MCSE | MCST | MCITP | ITILv3 Certified

score 0 · Answer 4 · answered Nov 22 '10 at 02:10

I wouldn't use wildcard certificates at all, as they can facilitate a ssl man-in-the-middle attack.

However, if you still want to :

IE6 apparently had some issues dealing with these.
Try different configurations with either a self-issued certificate authority or CACert. You will see what is the best between *.yoursite.com and yoursite.com with SAN.
Take a look at this page. It shows that all major certificate providers (comodo, digicert, thawte...) can provide wildcard certs.

score 0 · Answer 5 · answered Nov 22 '10 at 17:24

0

I've been in shops that use Digicert for this very exact thing. Check out their WildCard plus certs.

answered Nov 22 '10 at 17:24

Belmin Fernandez

10,799
27
84
148

Ah wait. I missed the `othernameofthecompany.com` part. I'll leave my answer up though as some might find it useful. – Belmin Fernandez Nov 22 '10 at 17:26
There's no automated way to do this, but if you contact Digicert support, they can do the combination for you. – Xiong Chiamiov May 25 '17 at 21:15

Multiple wildcard names in a certificate

5 Answers5