We already have a wildcard certificate for *.mycompany.com
. Our network has hosts that are only reachable internally. All of them belong to the internal.mycompany.com
subdomain. There is a private server with the host name server.internal.mycompany.com
on which I deployed our wildcard certificate.
When I visit the web server I get a host name mismatch error. Do I really have to get another wildcard certificate for *.internal.mycompany.com
or is there another (free!?) way to use our wildcard certificate for all of our subdomains and its subdomains without getting an error in the browser?
#Yes, you will have to buy another certificate*#
The asterisk wildcard character
*
will only match 1 label in a resolved FQDN.This behavior reflects RFC 4592 Section 3.3, in its description of DNS label matching and fallback to the asterisk label.
If you only need to secure a single endpoint under the
.internal.mycompany.com.
namespace, you don't need a wildcard certificate, just buy a regular single-subject certificate.*) The CA/Browser Forum baseline requirements for the public certificate issuance does permit wildcard names in the SAN extension of a certificate, so technically, a single wildcard certificate could be valid for wildcard matching on multiple subdomains, but I have never seen this type of product advertised off-the-shelf anywhere, and I would assume it to be overtly expensive
According to WildCard SSL Certificate security protocols it allows only protection of first level domain which also includes your main domain such as domainname.com and domain.domainname.com. It allows unlimited sub domains security but they must be first level domains.
If you want to protect your sub domain name which formats in domain.domain.domainname.com which technical known as second level sub domain name then you must have another wildcard SSL certificate for specifically that sub domain name security.
The Wildcard SSL certificate can secure only single level subdomains. If you have wildcard SSL that issued for *.mycompany.com, then it will secure mycompany.com and its all sub domains.
If your requirement is securing second level sub domains, so you should create CSR for *.internal.mycompany.com (with this condition, mycompany.com will get a domain name mismatch warning in the browsers, so you need to purchase a standard SSL certificate for mycompany.com)
It is possible that secure your entire website with a single multi domain certificate. With Multi Domain SSL certificate, you can secure multiple websites, sub domains and multi-level sub domains.
The Multi Domain SSL certificate also known as SAN SSL certificate and counts each condition as an individual SAN name.
You should evaluate that how many sub domains are created under the mycomapny.com and *.internal.mycompany.com which will help to choose the right certificate product.
Here at already explained detail scenario - Wildcard SSL certificate for second-level subdomain