wildcard ssl on sub-subdomain

porto alet picture porto alet · Jan 22, 2010 · Viewed 86.8k times · Source

we have wildcard ssl certificate for *.domain.com, and have a website with sub1.sub2.domain.com

safari 4.0.4 on MacOsx pops up a certificate error(presumably because of wildcard interpretation), while safari 4 on windows does not.

also ie8 behaviour is mixed at best, some ie8 do not display the certificate error and some do not.

What causes this strange behavior on Safari and IE?

Answer

Elias Torres Arroyo picture Elias Torres Arroyo · Mar 16, 2012

A wildcard SSL certificate for *.example.net will match sub.example.net but not sub.sub.example.net.

From RFC 2818:

Matching is performed using the matching rules specified by RFC2459. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.