When implementing HTTPS (SSL), examination of certificates is also required. When publishing many sites, there are many FQDNs, but you can reduce the number of certificates by using wild card certificates, multi domain (SANs) certificates.
For further efficiency improvement, check if multi-domain wildcard combination certificate can not be issued.
- Description of Certification Authority (CA)
- GeoTrust
- Technically possible
- Conclusion - Multi-domain wildcard certificates can not be issued
Description of Certification Authority (CA)
Various certificate authorities issuing SSL server certificates explain multi domain (SANs) certificate and wild card certificate, respectively. However, as stated in the title, there is no clarification that "certificate of multi domain and wild card can not be issued". However, it can be understood that it can not be issued with the combination described.
Sorry, I checked Japanese CAs only.
Cybertrust
マルチドメイン証明書 SureServer Prime MD / SureServer EV Prime MD | SSL/TLS サーバー証明書 SureServer | サイバートラスト
A procedure for adding SANs with multi domain certificate is described. The usable characters are as follows.
- Alphanumeric characters (a-z, A-Z, 0-9)
- - (hyphen)
- . (Period)
Wildcard * (asterisk) is not included here. You can not combine wildcards with multi-domain certificates.
GeoTrust
The support scope of each certificate is described. These can also add FQDN as SAN, but wildcards are not included.
| CN:geotrust.co.jp | Quick SSL Premium 4 Subdomain pack | Quick SSL Premium wildcard |
|---|---|---|
| SANs: | ||
| abc.geotrust.co.jp | o | x |
| abc1.geotrust.co.jp | o | x |
| abc.abc.geotrust.co.jp | x | x Hierarchy different from the * |
| abc.abc.abc.geotrust.co.jp | o | x Hierarchy different from the * |
| abc.abc.abc.symantec.com | x Another domain | x Another domain |
ValueSSL
From the FAQ of ValueSSL which is cheap and easy for individuals to acquire.
| Item | Multi domain SSL certificates | wildcard SSL certificates |
|---|---|---|
| CSR common name | (ex1)yourdomain.com (ex2)ssl.yourdomain.com |
(ex1)*.yourdomain.com (ex2)*.ssl.yourdomain.com |
| Notice | Specify FQDN | Specify FQDN with *. appended |
As described in the notes, * can not be specified because it is necessary to specify FQDN in the case of multi domain certificate.
SANs when using wildcard certificates
In a general certification authority, when issuing a wild card certificate, a SAN not including the subdomain of the *. Hierarchy is registered as follows.
Application: *.example.com
CN: *.example.com
SAN: example.com
Technically possible
In this discussion, we conclude that multi-domain wildcard certificates are technically possible, but not issued by CA's policy.
Conclusion - Multi-domain wildcard certificates can not be issued
Multi-domain wildcard certificates are technically possible, but they are not issued by a certificate authority policy. Even if you check the description of the certificate authority in Japan, you can not see that you can not issue certificates with multi-domain and wild cards.
