开发者

Wildcard SSL on sub-subdomain [closed]

Closed. This question is off-topic. It is not currently accepting answers.
开发者_如何学C

Want to improve this question? Update the question so it's on-topic for Stack Overflow.

Closed 9 years ago.

Improve this question

We have a wildcard SSL certificate for *.domain.example, and have a website with sub1.sub2.domain.example.

Safari 4.0.4 on macOS pops up a certificate error(presumably because of wildcard interpretation), while Safari 4 on Windows does not.

Also IE8 behavior is mixed at best, some IE8 display the certificate error and some do not.

What causes this strange behavior on Safari and IE?


A wildcard SSL certificate for *.example.net will match sub.example.net but not sub.sub.example.net.

From RFC 2818:

Matching is performed using the matching rules specified by RFC2459. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.example matches foo.a.example but not bar.foo.a.example. f*.example matches foo.example but not bar.example.


If you need a wildcard certificate that contains *.domain.example sites and also work with sub1.sub2.domain.example or another domain like *.domain2.example, you can solve that with a single wildcard certificate with what is called a subject alternative name (SAN) extension for each of the other sub sub domains. A SAN cert is not just for multiple specific host names, it can be created for wildcards entries as well.

For example, *.domain.example, sub1.sub2.domain.example, and *.domain2.example would have a Common Name of *.domain.example then you would attach a subject alternative name of both *.domain2.example and *.sub2.domain.example. It might depend on the Certificate Authority as to how they would charge you (or not) for the certificate, but there are some out there where this offering is available. Also, SAN is support is pretty widespread in the web browser space. The best real world example of this use, it Google's SSL cert. Go open Google and view its SSL certificate, you will see it works for *.google.com, *.youtube.com, *.gmail.com, and a bunch more where they are listed as subject alternative names.


The wildcard is only applied to the first part (from the left) of you domain. So you'll need a certificate for *.sub2.domain.example

If you meant that you have sub1.domain.example and sub2.domain.example, then it should work.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜