7

I have deployed SSL certificates on various websites however this wildcard SSL certificate is totally new to me. I have question that If I am buying a SSL certificate *.example-private.com, Will it work for *.staging.example-private.com Or Do I have to buy a different wild card SSL for staging site. I am going to implement this on new sites.

Shailesh Sutar
  • 1,517
  • 5
  • 23
  • 41
  • This is NOT dupe of #436975; that Q is for wildcard **DNS** while this Q is for wildcard **SSL-cert** which are quite different things with _opposite_ answers (DNS wildcard is multilevel, cert isn't). OTOH #104160 #87869 #296390 #645230 _are_ dupes for wildcard SSL-cert. – dave_thompson_085 Aug 25 '17 at 03:13

6 Answers6

17

A wildcard covers only one level. So *.example.com will cover foo.example.com, bar.example.com, and staging.example.com but not foo.staging.example.com or example.com.

However you can have multiple names (including wildcards) on the same certificate, so in principle a single certificate could be issued covering all the above names.

I know that CAs will happilly issue certificates covering both example.com and *.example.com, I'm not sure what typical policies are on issuing certificates with more names.

Also I would question whether this is really what you want. Do you really want to put your production secrets on your staging server?

Community
  • 1
Peter Green
  • 4,211
  • 12
  • 30
  • Basically I am going to setup only my `*.example-private.com` site but I was not sure what to do. – Shailesh Sutar Nov 26 '16 at 23:22
  • 1
    I thought wildcard certificates by *default* covered the domain on it's own. That's at least how my certificates are issued. – Amani Kilumanga Nov 27 '16 at 05:21
  • 2
    @AmaniKilumanga That might be how yours are issued, but it's not how they work. The `*` does not match a non-existent label (technically, it matches exactly one label with any value), so to match both `example.com` and `*.example.com` the certificate needs to contain both of those two subject common names. – user Nov 27 '16 at 13:37
  • @MichaelKjörling: must have both names yes, but in SAN as dNSName's not in Subject as CommonName's. – dave_thompson_085 Nov 28 '16 at 16:10
12

A wildcard only matches one domain level, so *.staging.example.com would not be matched and you need another cert for subdomains of it.

https://en.wikipedia.org/wiki/Wildcard_certificate

Sven
  • 98,649
  • 14
  • 180
  • 226
2

As mentioned by Peter and Sven, a wildcard will only support one wildcard level in the domain name. This said, you have many possible ways to implement a naming scheme.

You can easily set up the servers in your production environment ( work.example.com ) and use the same certificate for your staging ( stagingwork.example.com ) and development ( devwork.example.com ) servers (those are separate from your production servers, correct? :) ). One certificate, many hosts and domain names.

Robert Miller
  • 234
  • 1
  • 2
2

Wildcard SSL Certificate can secure only first level sub-domains of the common name (CN), so when the certificate issued for *.example-private.com it can secure the root domain and it's all first level sub-domains as below. 

staging.example-private.com
mail.example-private.com
anything.example-private.com

To secure second level sub-domains as *.staging.example-private.com, you have two options.

1. Purchase another wildcard certificate:

Your administrator needs to purchase the different certificates for each one and manage all certificates configuration, renewal, expiry, and installation.

2. Purchase Multi-Domain wildcard certificate:

This product allows you to secure up to 100 websites and its unlimited sub-domains with a single certificate. You need to set *.example-private.com as your primary domain name and add another domain names in the SAN field.

For Example:

*.example-private.com
*.staging.example-private.com
*.anysub.example-private.com
*.anydomain.tld

For more information about how multi-domain wildcard certificate works, you can refer this link - https://www.ssl2buy.com/comodo-multi-domain-wildcard-ssl.php

Jason Parms
  • 272
  • 2
  • 5
0

A Wildcard SSL Certificate enables SSL encryption on multiple subdomains using a single certificate. Subdomains on the certificate must all share the same primary domain.

For instance, example.com, www.example.com, blog.example.com, could all be secured using the same wildcard SSL as they all use the same primary domain. However, billing.yoursitesdomain.com could not be used with this certificate, as it is using a different primary domain.

one thing more

LE supports "SAN" certificates where you need to specify every domain. There's no wildcards. for more detail see this LetsEncrypt Subdomain wildcard

one thing more

this thread says Ideally, our staging sites (*.our-agency-staging-domain.com) would all share the same self-signed SSL certificate. That would allow us to:

  • Automatically make HTTPS available for all staging sites

  • Avoid the cost and time overhead of purchasing 2 or 3 certs for each project

  • Deliver a better experience to our developers

another good link

Adiii
  • 171
  • 4
0

You might have misinterpreted the function of Wildcard certificate. Wildcard SSL Certificate issued on *.example-private.com will only secure single level, for example;

*.example-private.com will secure,

example-private.com
abc.example-private.com
def.example-private.com
ghi.example-private.com

Now if you want to secure second level sub-domains, you should go with Multi-Domain Wildcard certificate. This certificate will secure domains as under:

*example-private.com
www.example-private.com
shop.example-private.com
staging.example-private.com

*.staging.example-private.com
photos.staging.example-private.com
news.staging.example-private.com
blog.staging.example-private.com

I suggest you to browse this article to know more how Wildcard SSL can be helpful to secure sub-domains.

Gunjan Tripathi
  • 101
  • 1