designetwork(EN)

IT technical memo of networking

CANNOT issue certificates of multi domain and wild card

When implementing HTTPS (SSL), examination of certificates is also required. When publishing many sites, there are many FQDNs, but you can reduce the number of certificates by using wild card certificates, multi domain (SANs) certificates.

For further efficiency improvement, check if multi-domain wildcard combination certificate can not be issued.

Description of Certification Authority (CA)

Various certificate authorities issuing SSL server certificates explain multi domain (SANs) certificate and wild card certificate, respectively. However, as stated in the title, there is no clarification that "certificate of multi domain and wild card can not be issued". However, it can be understood that it can not be issued with the combination described.

Sorry, I checked Japanese CAs only.

Cybertrust

マルチドメイン証明書 SureServer Prime MD / SureServer EV Prime MD | SSL/TLS サーバー証明書 SureServer | サイバートラスト

A procedure for adding SANs with multi domain certificate is described. The usable characters are as follows.

  • Alphanumeric characters (a-z, A-Z, 0-9)
  • - (hyphen)
  • . (Period)

Wildcard * (asterisk) is not included here. You can not combine wildcards with multi-domain certificates.

GeoTrust

www.geotrust.co.jp

The support scope of each certificate is described. These can also add FQDN as SAN, but wildcards are not included.

CN:geotrust.co.jp Quick SSL Premium 4 Subdomain pack Quick SSL Premium wildcard
SANs:
abc.geotrust.co.jp o x
abc1.geotrust.co.jp o x
abc.abc.geotrust.co.jp x x Hierarchy different from the *
abc.abc.abc.geotrust.co.jp o x Hierarchy different from the *
abc.abc.abc.symantec.com x Another domain x Another domain

ValueSSL

ワイルドカード証明書について « ValueSSLサポート

From the FAQ of ValueSSL which is cheap and easy for individuals to acquire.

Item Multi domain SSL certificates wildcard SSL certificates
CSR common name (ex1)yourdomain.com 
(ex2)ssl.yourdomain.com
(ex1)*.yourdomain.com
(ex2)*.ssl.yourdomain.com
Notice Specify FQDN Specify FQDN with *. appended

As described in the notes, * can not be specified because it is necessary to specify FQDN in the case of multi domain certificate.

SANs when using wildcard certificates

In a general certification authority, when issuing a wild card certificate, a SAN not including the subdomain of the *. Hierarchy is registered as follows.

Application: *.example.com
CN: *.example.com
SAN: example.com

Technically possible

In this discussion, we conclude that multi-domain wildcard certificates are technically possible, but not issued by CA's policy.

stackoverflow.com

Conclusion - Multi-domain wildcard certificates can not be issued

Multi-domain wildcard certificates are technically possible, but they are not issued by a certificate authority policy. Even if you check the description of the certificate authority in Japan, you can not see that you can not issue certificates with multi-domain and wild cards.


This Blog is English Version of my JP's.

Sorry if my English sentences are incorrect.

designetwork