1

We have a wildcard .pfx file that's of the pkcs 12 convention. We have a vendor that's trying to use it, but it's only working on the whatever.company.com sites (for desktops), and not working on the m.whatever.company.com sites (for mobile). We're assuming this is happening because the wildcard cert is only for *.company.com, and not *.*.company.com.

Do we need to get a new cert created for *.*.company.com or does anyone know of a way to... I don't know... append the additional sub-subdomain to the existing cert? Maybe with keytool and/or OpenSSL .... ?

Trey Bentley
  • 11
  • 2

1 Answers1

3

First, you cannot edit an existing signed certificate without invalidating the signature. And with an invalid signature the certificate will be considered invalid and rejected by the browser. Just imagine if editing a certificate would be possible and the edited certificate accepted by the browser: in this case an attacker could easily modify an existing certificate for its own domain to include any other domain for which he wants to do a man in the middle attack.

Apart from that wildcards like *.*.example.com are not possible, i.e. only a single wildcard is allowed and only in the leftmost label.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172