How can SSL work with "subdomain" but not "subdomain.subdomain.domain.com"

subdomain.subdomain.domain.com is a little bit confusing. Unifying might help for explanation:

A subdomain is every part left of the most right dot. Only the most right part (com) is no subdomain. It is a Top Level Domain (TLD).

Terminology:

subsubdomain.subdomain.domain.com
       |         |        |    |
       |         |        |     \---> TLD: Top Level Domain
       |         |         \--------> SLD: 2nd/Second Level Domain
       |          \----------------->      3rd/Third Level Domain
        \--------------------------->      4th/Fourth Level Domain

Every certificate is issued for only one CN (Common Name).

In case the CN is the 3rd Level Domain subdomain.domain.com, Chrome will work only with this domain without errors.

Every additional subdomain needs to be added as Alternativ Name. Otherwise you will get an error. A common usecase is the www. subdomain which is added as Alternativ Name.

Multiple domains could be added. It is possible to get a certificate for mydomain.net (CN) with multiple Alternative Names included like: www.mydomain.net, smtp.mydomain.net, my-other-domain.com and www.my-other-domain.com

As mentioned above, Alternative Names do not have to belong to the same "domain".

Wildcard Certificates like *.google.com are another option without propagating "all your domains" to public. Data for every issued certificate will be accessible for everyone. (e.g. %.google%.com resolves google, googlemail, googleapis,...)

What had happened is we have a self-signed cert for "subdomain" and a public/ca signed cert for "subdomain.subdomain.domain.tld". We were using the self signed cert. When I switched to the public cert, only the proper URL would work for SSL.