1

I have two SSL certificate one for *.sub.domain.com and one for *.domain.com.

I don't have issues with domain level wildcard certificate. Meaning https://www.domain.com & https://domain.com works fine with out any certificate errors.

But for the other one https://sub.domain.com gives certificate error(address miss match ) and https://www.sub.domain.com doesn't give any error.

Just another info both certificate are from the same provider.

NMK
  • 113
  • 6
  • Which SSL certificate are you offering up on the server https://sub.domain.com ? – MadHatter Feb 03 '15 at 11:34
  • Its *.sub.domain.com – NMK Feb 03 '15 at 11:38
  • 4
    That's your problem - wrong certificate. `sub.domain.com` doesn't match `*.sub.domain.com`, but it does match `*.domain.com`. – MadHatter Feb 03 '15 at 11:47
  • thanks @MadHatter. But wildcard certificates will match up to one level from the left. I think as zakjan mentioned its probably SAN difference between two certificate. – NMK Feb 03 '15 at 11:54
  • Yes, but they won't match **nothing at all**. Zakjan's point is that `domain.com` doesn't match `*.domain.com`, which is very true, and just as truly `sub.domain.com` doesn't match `*.sub.domain.com`. It is true that in the bare domain case this is often handled by SANs, but in your case you have a wildcard certificate that **will** match `sub.domain.com` - all you need to do is use it. – MadHatter Feb 03 '15 at 12:01
  • Okay got it. But if want to support both http://www.sub.doman.com & http://sub.domain.com then I will have to go for a new cert I guess. – NMK Feb 03 '15 at 12:19
  • No, I think you just need to make sure that on any given server instance, you offer the appropriate certificate. You've told us nothing about your web server setup, so it's hard to be more specific. Are you using SNI? – MadHatter Feb 03 '15 at 12:26
  • @MadHatter, you are correct I just want to make sure I have the proper SAN's added so that I can just use one certificate – NMK Feb 03 '15 at 16:50
  • You can't do this with one certificate. I know of no certificating authority that will issue a double-wildcard certificate, valid for both `*.domain.com` and `*.sub.domain.com`. I'm not even sure it's technically possible to do so, though I'm no expert on these matters. – MadHatter Feb 03 '15 at 18:18
  • May be even I am not sure but will try to my luck with CA this April. Between google.com has all sorts of combinations just in one certificate. – NMK Feb 04 '15 at 05:56

1 Answers1

3

Wildcard certificate issued for *.domain.com doesn't secure bare domain.com by default.

Run openssl x509 -in certificate.crt -noout -text on both certs to see their human-readable content. Look for X509v3 Subject Alternative Name (SAN) field. If it is present, it specifies multiple DNS names, which can be secured by the cert.

I suppose your *.domain.com cert has it, whereas *.sub.domain.com doesn't, in that case ask for a new wildcard SAN cert.

zakjan
  • 285
  • 3
  • 7
  • Just checked that *.domain.com has domain.com as well but the subdomain certificate just have wildcard. – NMK Feb 03 '15 at 11:55
  • 2
    Instead of paying for a new cert, you can use `*.domain.com` to secure `sub.domain.com` as mentioned by @MadHatter, of course. – zakjan Feb 03 '15 at 11:59