Wildcard certificate

From Wikipedia, the free encyclopedia
Jump to: navigation, search
An example of a wildcard certificate on https://plus.google.com (note the asterisk: *)
An example of an EV certificate acting as a wildcard certificate on https://www.ssl.com (note the Subject Alternative Name (SAN) field)

A wildcard certificate is a public key certificate which can be used with multiple subdomains of a domain.[1]

Depending on the number of subdomains an advantage could be that it saves money and also could be more convenient.

Limitation[edit]

Only a single level of subdomain matching is supported.[2]

It is not possible to get a wildcard for an Extended Validation Certificate.[3]

A workaround could be to add every virtual host name in the Subject Alternative Name (SAN) extension,[4][5][6] the major problem being that the certificate needs to be reissued whenever a new virtual server is added.[7]

Wildcards can be added as domains in multi-domain certificates or Unified Communications Certificates (UCC).[8] In addition, wildcards themselves can have subjectAltName extensions, including other wildcards. For example: The wildcard certificate *.wikipedia.org has *.m.wikimedia.org as an Subject Alternative Name. Thus it secures https://www.wikipedia.org as well as the completely different website name https://meta.m.wikimedia.org.[9]

RFC 6125 argues against wildcard certificates on security grounds.[10]

Example[edit]

In the case of a wildcard certificate for *.example.com, these domains would be valid:

  • payment.example.com
  • contact.example.com
  • login-secure.example.com
  • www.example.com


Because the wildcard only covers one level of subdomains (the asterisk doesn't match full stops)[11], these domains would not be valid for the certificate:

  • test.login.example.com

The "naked" domain is also not valid[12] (it must be added separately as a SubjectAltName):

  • example.com
Brief information about wildcard ssl certificate.

See also[edit]

Relevant RFCs[edit]

References[edit]

  1. ^ Wildcard SSL certificate on Verisign.com
  2. ^ Wildcard SSL certificate limitation on QuovadisGlobal.com
  3. ^ "Guidelines For The Issuance And Management Of Extended Validation Certificates, Version 1.5.2". CA/Browser Forum. 2014-10-16. p. 10. Retrieved 2014-12-15. Wildcard certificates are not allowed for EV Certificates. 
  4. ^ x509v3_config-Subject Alternative Name
  5. ^ The subjectAltName field
  6. ^ The SAN option is available for EV SSL Certificates on Symantec.com
  7. ^ Need to be reissued whenever a new virtual server is added
  8. ^ Wildcard domains can be used within UCC on SSL.com
  9. ^ SSLTools Certificate Lookup of Wikipedia.org's wildcard ssl certificate
  10. ^ "RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)". Internet Engineering Task Force. March 2011. p. 31. Retrieved 2014-12-10. This document states that the wildcard character '*' SHOULD NOT be included in presented identifiers but MAY be checked by application clients (mainly for the sake of backward compatibility with deployed infrastructure). [...] Several security considerations justify tightening the rules: [...] 
  11. ^ "RFC 2818 - HTTP Over TLS". Internet Engineering Task Force. May 2000. p. 5. Retrieved 2014-12-15. [...] *.a.com matches foo.a.com but not bar.foo.a.com. 
  12. ^ "RFC 2595 - Using TLS with IMAP, POP3 and ACAP". Internet Engineering Task Force. June 1999. p. 3. Retrieved 2014-12-15. For example, *.example.com would match a.example.com, foo.example.com, etc. but would not match example.com.