Wildcard SSL Certificates

What is a wildcard and for who is it suitable? Summarized a single SSL Certificate to secure unlimited sub domains.

With a single wildcard SSL certificate it is possible to secure several sub domains which reside on the same server and on the same domain level. You will get a *.hereyourname.com and you can connect as many sub domains as you want. This is useful for organizations that host a single domain, but different subdomains (eg webmail.hereyourname.com, http://www.hereyourname.com and shop.hereyourname.com).

Note: Due to the SSL protocol, it is not possible to use your wildcard certificate for *.*.hereyourname.com, such as example.example.hereyourname.com. It is only possible for one sub domain: *.hereyourname.com or example.hereyourname.com.

The wildcard SSL Certificate is an affordable and efficient solution to secure several sub domains with just one single certificate. A big difference with a SAN SSL Certificate is that you do not have to give your sub domains when register. A handy feature if you need a temporary subdomain for instance.

A Wildcard SSL certificate secures your website URL, and an unlimited number of its subdomains. A single Wildcard certificate can secure both http://www.coolexample.com, and blog.coolexample.com.

Wildcard certificates secure all of the subdomains at the level you specify when you submit your request. Just add an asterisk (*) in the subdomain area of the common name where you want to specify the wildcard. For example:

If you configure *.coolexample.com, you can secure
blog.coolexample.com, etc.

If you configure *.www.coolexample.com, you can secure
blog.www.coolexample.com, etc.

Wildcard certificates secure websites the same as a regular SSL certificate, and requests are processed using the same validation methods. However, some Web servers might require a unique IP address for each subdomain on the Wildcard certificate.

NOTE: A Wildcard certificate secures only the level of subdomain you specify. So, if a certificate is configured for *.www.coolexample.com, it will not secure http://www.coolexample.com.

SAN Certificates: Subject Alternative Name:
  What is Subject Alternative Name?
Subject Alternative Names protect multiple host names with a single SSL certificate. It allows to specify a list of
host names to be protected by a single SSL certificate.

The Subject Alternative Name extension has been a part of the X509 certificate standard since before 1999, but
only recently achieved widespread use with the launch of Microsoft Exchange Server 2007—which makes good
use of Subject Alternative Name to simplify server configuration.

What can a Subject Alternative Names do?

Secure host names on different base domains in one certificate. Virtual Host Multiple SSL sites on a single IP address. Hosting multiple SSL-enabled sites on a single server typically requires a unique IP address per site, but a certificate with Subject Alternative Names can solve this problem. Microsoft IIS 6 and Apache are both able to Virtual Host HTTPS sites using Unified Communications SSL certificate, also known as SAN certificates.

SAN Certificates can secure:

  • Multiple fully qualified domain names (FQDN) with a single certificate. SAN Certificates are often needed
    to secure Exchange 2007 Server or Office Communications Server 2007.
  • Instances where there is a need to secure multiple domains that resolve to a single IP address (such as
    in a shared hosting environment).

Using a SAN certificate saves the hassle and time involved in configuring multiple IP addresses on Exchange 2007
server, binding each IP address to a different certificate, and running a lot of low level PowerShell commands just
to piece it all together.

How browsers use the Subject Alternative Name field in SSL certificate?
When browsers connect to server using https, they check to make sure SSL certificate matches the host name in
the address bar.
There are three ways for browsers to find a match:
1. The host name (in the address bar) exactly matches the Common Name in the certificate’s Subject.
2. The host name matches a wildcard common name. For example, http://www.example.com matches the common
name *.example.com.
3. The host name is listed in the Subject Alternative Name field.

Comparing the Server Name it connects to with the Common Name in the Server certificate is a common way SSL
client (Browser) match the host name typed in the address bar. It’s a safe to assume that all SSL clients support
exact common name matching.
If an SSL certificate has a Subject Alternative Name (SAN) field, then SSL clients are supposed to ignore the
common name value and seek a match in the SAN list.

Which SSL clients support Subject Alternative Names?
Most mobile devices support Subject Alternative Names but all of them support exact Common Name matching.
  • Internet Explorer, Firefox, Opera, Safari, and Netscape have all supported Subject Alternative Names
    since 2003. Internet Explorer has actually supported them since Windows 98.
  • Windows Mobile 5 supports Subject Alternative Names
  • Newer Palm Treo devices use WM5, but the older ones run PalmOS and use VersaMail for ActiveSync.
    The older Treos do not support SAN name matching.
  • Older Palm Treo devices run PalmOS and use VersaMail for ActiveSync. These older Treos do not support
    SAN name matching.
  • Sony Ericsson smart phones (phones running Symbian OS) do not support Subject Alternative Name
Because not all mobile devices support the Subject Alternative Name field, it is safer to set Common Name as the Server Name that most mobile devices will use. It may be necessary to use both SAN Certificates and other SSL certificates in situations where the client environment is highly diversified and that may include clients that do no support SAN certificates.