Sponsored Links
-->

Saturday, October 13, 2018

Create Wild Card Digital Certificate in IIS - YouTube
src: i.ytimg.com

In computer networking, a wildcard certificate is a public key certificate which can be used with multiple subdomains of a domain. The principal use is for securing web sites with HTTPS, but there are also applications in many other fields. Compared with conventional certificates, a wildcard certificate can be cheaper and more convenient than a certificate for each subdomain.


Video Wildcard certificate



Example

A single wildcard certificate for https://*.example.com will secure all these subdomains on the https://*.example.com domain:

  • payment.example.com
  • contact.example.com
  • login-secure.example.com
  • www.example.com

Instead of getting separate certificates for subdomains, you can use a single certificate for all main domains and subdomains and reduce cost.

Because the wildcard only covers one level of subdomains (the asterisk doesn't match full stops), these domains would not be valid for the certificate:

  • test.login.example.com

The "naked" domain is valid when added separately as a Subject Alternative Name (SubjectAltName):

  • example.com

Note possible exceptions by CAs, for example wildcard-plus cert by DigiCert contains an automatic "Plus" property for the naked domain example.com.


Maps Wildcard certificate



Type of wildcard certificates

Wildcard certificates are categorized on the basis of validation level, number of domain and number of servers it can be used with. Likewise they are named as domain validation wildcard certificate, organisation validation wildcard certificate and extended validation wildcard certificate when we categorize them according to validation level. The name Multi-domain wildcard certificates and Multi-server wildcard certificates are given according to number of domain and number of server. All types of wildcard certificates signed by popular CAs are categorized and listed internet. Therefor there are types of wildcard which can secure multiple domain, multiple servers and providing different level of validation.


How to generate CSR for Wildcard SSL certifcate on IIS 7 - YouTube
src: i.ytimg.com


Limitations

Only a single level of subdomain matching is supported in accordance with RFC 2818.

It is not possible to get a wildcard for an Extended Validation Certificate. A workaround could be to add every virtual host name in the Subject Alternative Name (SAN) extension, the major problem being that the certificate needs to be reissued whenever a new virtual server is added. (See Transport Layer Security § Support for name-based virtual servers for more information.)

Wildcards can be added as domains in multi-domain certificates or Unified Communications Certificates (UCC). In addition, wildcards themselves can have subjectAltName extensions, including other wildcards. For example, the wildcard certificate *.wikipedia.org has *.m.wikimedia.org as a Subject Alternative Name. Thus it secures www.wikipedia.org as well as the completely different website name meta.m.wikimedia.org.

RFC 6125 argues against wildcard certificates on security grounds.


Installing a wildcard certificate for Azure Web Role
src: blog.geist.no


Examples

The wildcard applies only to just one label of the domain name.

label.label.label.TLD
*.domain.com is OK. It will match www.domain.com but not domain.com and not zzz.www.domain.com

The wildcard may appear anywhere inside a label (aka "partial-wildcard")

f*.domain.com is OK. It will match frog.domain.com but not frog.super.domain.com
baz*.example.net is OK and matches baz1.example.net
*baz.example.net is OK and matches foobaz.example.net
b*z.example.net is OK and matches buzz.example.net

Do not allow a label that consists entirely of just a wildcard unless it is the left-most label

sub1.*.domain.com is not allowed.

A cert with multiple wildcards in a name is not allowed.

*.*.domain.com

A cert with * plus a top-level domain is not allowed.

*.com

Too general and should not be allowed.

*

International domain names encoded in ASCII (A-label) are labels that are ASCII-encoded and begin with xn--.

Do not allow wildcards in an international label.

xn--caf-dma.com is café.com
xn--caf-dma*.com is not allowed
Lw*.xn--caf-dma.com is allowed

Nginx, Wildcard SSL and Subdomains
src: blog.notmyhostna.me


References


Wildcard SSL Certificates and Phishing: A Match Made in Heaven
src: www.thesslstore.com


Relevant RFCs

  • "RFC 2595 - Using TLS with IMAP, POP3 and ACAP". Internet Engineering Task Force. June 1999. p. 3.
  • "RFC 2818 - HTTP Over TLS". Internet Engineering Task Force. May 2000. p. 5.
  • "RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)". Internet Engineering Task Force. March 2011.

Source of article : Wikipedia