Wildcard SSL certificate for second-level subdomain

RFC2818 states:

If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.

Internet Explorer behaves in the way outlined by the RFC, where each level needs its own wildcarded certificate. Firefox is happy with a single *.domain.com where * matches anything in front of domain.com, including other.levels.domain.com, but will also handle the *.*.domain.com types as well.

So, to answer your question: it is possible, and supported by browsers.

All answers here are outdated or not fully correct, not considering the RFC 6125 from 2011.

According to the RFC 6125, only a single wildcard is allowed in the most left fragment.

Valid:

*.sub.domain.tld
*.domain.tld

Invalid:

sub.*.domain.tld
*.*.domain.tld
domain.*
*.tld
sub.*.*

A fragment, or also called "label", is a closed component, e.g.: *.com (2 labels) does not match label.label.com (3 labels) - this has already been defined in RFC 2818.

Before 2011 in RFC 2818 the setting was not fully clear:

Specifications for existing application technologies are not clear or consistent about the allowable location of the wildcard character.

This has changed with RFC 6125 from 2011 (6.4.3):

The client SHOULD NOT attempt to match a presented identifier in which the wildcard character comprises a label other than the left-most label (e.g., do not match bar.*.example.net).

When Wildcard SSL certificate is issued for *.domain.com, you can secure your unlimited number of sub domains over the main domain.

For example:

• sub1.domain.com
• sub2.domain.com
• sub3.domain.com
• sub*.domain.com

If the Wildcard SSL certificate is issued on *.sub1.domain.com, in that case you can secure all second level subdomains which are listed under the sub1.domain.com

For example:

• aaa.sub1.domain.com
• bbb.sub1.domain.com
• ccc.sub1.domain.com
• ***.sub1.domain.com

If you want to secure limited number of sub domains and second level domains, then you can choose multi domain SSL that can secure up to 100 domain names with a single certificate.

For example:

• domain.com
• sub1.domain.com
• aaa.sub2.domain.com
• domain2.net
• domain3.org

You should know your actual requirements to choose an SSL certificate.

Just to confirm FF and IE 8 will NOT accept certificates in the form *.*.example.com although it is technically possible to create them.

I was just doing some research on this as I have the same requirements to secure sub subdomains as well and came across a solution from DigiCert.

This certificates says it will support yourdomain.com, *.yourdomain.com, *.*.yourdomain.com and so on.

It is currently rather pricy, but the hope is that other providers would start offering similar certificates and reduce prices.

This could be worth a new round of tests with current browser versions.

My personal quick check results in: Firefox 20.0.1 seems to still not support this. It shows:

This certificate is only valid for *.*.mydomain.com

...when surfing to https://svn.project.mydomain.com.

Internet Explorer 9.0:

The certificate of this website was made for another address

Notes:

• Both statements translated from German to English, by me. Probably I did not use the same phrases as the English browser versions would show.
• I used a self-signed certificate. Which caused the browsers to show an additional sentence of warning. I assume that the quotes above would also be shown with a trusted certificate issuer. Verifying this was out of the scope of my "quick check".

although i'm not looking into your question, i just happened to read something about it minutes ago:

https://www.instantssl.com/articles/can-you-create-a-wildcard-ssl-certificate-for-two-levels.php

this explain that you cannot use double asterisk

Edit

Add part of the quote in case the website goes down or it's too long to read

What is not possible is to try to cover both the subdomains of mail.xyz.com and photos.xyz.com with a single Wildcard. The CA or Certificate Authority can only provide an SSL certificate with a single (*). You could not generate a Certificate Signing Request that looked like ..xyz.com to try to cover more than one second level subdomain group.

The Reason Why

The reasons it is not possible to have a "double wildcard" SSL certificate is that the placeholder, the asterisk, can only stand in for one field in the name submitted to the CA. After all, the CA has to verify all information, and too many variables in the certificate would decrease the security and confidence the certificate provides.

Additionally, and this is important for IT managers and website owners as well, the internal security cannot be compromised as easily. Keep in mind that any type of security issue once an SSL certificate is in place is much more likely to occur from an internal security breach where someone with access to the private key and certificate is able to set up a subdomain website that is actually covered by the SSL.

What you can do is something like *.domain.com and then *.www.domain.com or *.mail.domain.com. I've never seen *.*.domain.com on a production site.

You can get a wildcard (*.domain.com) but you will also need *.www.domain.com as a alternative subject name entry to get this to work. The only companies that I know offer this are ssl.com and digicert. There may be others but I'm not sure.