I have a web app in Azure. I have requested wildcard ssl certificate for *.blog.mydomain.com. I was going to use it on all blog subdomains as well as on blog.mydomain.com. However when I try to bind it on blog.mydomain.com it doesn't accept it. What could be the reason?
Asked
Active
Viewed 1,141 times
2
-
This isn't a question about programming, so it's off-topic for StackOverflow. It would be on-topic in the [Webmasters](https://webmasters.stackexchange.com/) site. Anyway, you're getting the expected behaviour. The wildcard matches a name followed by `.blog.mydomain.com`, and the `blog.mydomain.com` string does not follow that pattern. If you want the cert to apply to `blog.mydomain.com` in addition to the wildcard then the cert's Subject Alternative Name field must include `blog.mydomain.com`. See [Wikipedia](https://en.wikipedia.org/wiki/Wildcard_certificate) for more info. – ottomeister Jan 16 '20 at 21:22
2 Answers
1
You need to specify both subject names blog.mydomain.com and *. blog.mydomain.com in the certificate's SAN.
BumbleBee
- 129
- 9
Rodrigo Murillo
- 13,080
- 2
- 29
- 50
-
1Just updating the correct answer. I have regenerated ssl certificate with CSR which contained both *. blog.mydomain.com and blog.mydomain.com and it worked. – BumbleBee Feb 19 '20 at 15:18
0
Which correct answer?
*.mydomain.com would make a whole lot more sense, because it covers all of these.
It even circumvents the idea of using wildcards, to still add multiple host-names.
If the blog is another server with another IP, this might be the only exception.
Martin Zeitler
- 1
- 19
- 155
- 216
-
Its a quirk/feature of SSL name resolution in the SAN. `*.mydomain.com` is not the same as `mydomain.com`. The wild card domain does *not* resolve to the root domain name. You will need both, as my answer correctly describes. I agree with you that is not immediately obvious why that is necessary. But it is. See https://www.digicert.com/kb/ssl-support/wildcard-san-names.htm for an explanation. – Rodrigo Murillo Feb 20 '20 at 02:24