Forum Discussion

Alen_Ismic_1869's avatar
Alen_Ismic_1869
Icon for Nimbostratus rankNimbostratus
Feb 12, 2015
Solved

Wildcard Certificate

Hello,

 

I need to set up SSL certificates on multiple subdomains (more than 10) on one domain name. So I actually need Wildcard SSL certificate, and then I choosed Thawte Wildcard SSL certificate. And I thought this is what I need, but when I contacted Thawte they said that I need to pay additional server licenses, so I dont understand this. If I am using F5 and doing SSL offloading, my wildcard SSL certificate is on F5, and I dont need to install it on servers. I'll setup one client profile with wildcard SSL and assign all Virtual Servers, and that will be all. Someone who had experience with same problem?

 

  • Assuming all your sub-domains are first-level, you're good to go with the wildcard certificate. Just don't include any sub-domains (SANs) with your purchase requests, you really don't have to, and it might be the reason you received misleading information from them. Any first-level sub-domains will automatically be covered by the wildcard certificate.

     

    With a wildcard certificate, your second-level sub-domains will not be covered (e.g. "https://mysecond.myfirst.maindomain.com"); neither will "https://maindomain.com" be covered.

     

    I recommend reading the information here to learn more about wildcards & sub-domains: https://www.digicert.com/ssl-support/wildcard-san-names.htm

     

8 Replies

  • Assuming all your sub-domains are first-level, you're good to go with the wildcard certificate. Just don't include any sub-domains (SANs) with your purchase requests, you really don't have to, and it might be the reason you received misleading information from them. Any first-level sub-domains will automatically be covered by the wildcard certificate.

     

    With a wildcard certificate, your second-level sub-domains will not be covered (e.g. "https://mysecond.myfirst.maindomain.com"); neither will "https://maindomain.com" be covered.

     

    I recommend reading the information here to learn more about wildcards & sub-domains: https://www.digicert.com/ssl-support/wildcard-san-names.htm

     

    • Hannes_Rapp_162's avatar
      Hannes_Rapp_162
      Icon for Nacreous rankNacreous
      It's a good practice to use a wildcard certificate in combination with 1 additional SAN. Below are the details of one certificate which covers all first-level sub-domains as well as the "https://maindomain.com" (no first-level domain specified). The total cost of such solution is the cost of a wildcard certificate + 1 SAN certificate. This is a solution you might want to consider (depending on if you really need the https://maindomain.com to be covered). Certificate Properties Public Key Type RSA Public Key Size 2048 bits Expires Jul 9 14:30:00 2015 GMT Version 3 Serial Number xx:xx:xx:xx:xx:xx:xx Subject Common Name: *.maindomain.com Organization: Division: Domain Control Validated Locality: State Or Province: Country: Issuer Common Name: COMPANY Certification Authority Organizational Unit: COMPANY, Inc. Division: http://COMPANY/repository Locality: COMPANY State Or Province: Arizona Country: US Email Subject Alternative Name DNS:maindomain.com, DNS:*.maindomain.com
  • Assuming all your sub-domains are first-level, you're good to go with the wildcard certificate. Just don't include any sub-domains (SANs) with your purchase requests, you really don't have to, and it might be the reason you received misleading information from them. Any first-level sub-domains will automatically be covered by the wildcard certificate.

     

    With a wildcard certificate, your second-level sub-domains will not be covered (e.g. "https://mysecond.myfirst.maindomain.com"); neither will "https://maindomain.com" be covered.

     

    I recommend reading the information here to learn more about wildcards & sub-domains: https://www.digicert.com/ssl-support/wildcard-san-names.htm

     

    • Hannes_Rapp's avatar
      Hannes_Rapp
      Icon for Nimbostratus rankNimbostratus
      It's a good practice to use a wildcard certificate in combination with 1 additional SAN. Below are the details of one certificate which covers all first-level sub-domains as well as the "https://maindomain.com" (no first-level domain specified). The total cost of such solution is the cost of a wildcard certificate + 1 SAN certificate. This is a solution you might want to consider (depending on if you really need the https://maindomain.com to be covered). Certificate Properties Public Key Type RSA Public Key Size 2048 bits Expires Jul 9 14:30:00 2015 GMT Version 3 Serial Number xx:xx:xx:xx:xx:xx:xx Subject Common Name: *.maindomain.com Organization: Division: Domain Control Validated Locality: State Or Province: Country: Issuer Common Name: COMPANY Certification Authority Organizational Unit: COMPANY, Inc. Division: http://COMPANY/repository Locality: COMPANY State Or Province: Arizona Country: US Email Subject Alternative Name DNS:maindomain.com, DNS:*.maindomain.com
  • Thank You Hannes, but this solve one part of my question.

     

    Second part is this about additional server licenses, am I need them, because I am installing certificate only on one server (in this case F5), I am stuck with Thawte, I am not able to change certificate now.

     

    • Hannes_Rapp's avatar
      Hannes_Rapp
      Icon for Nimbostratus rankNimbostratus
      You have only 1 server and no additional server licenses are required if you have a standalone F5 terminating all SSL connections. I've not worked with Thawte before, and in case of an active-standby (or active-active) cluster I'd recommend clarifying whether you are required to pay for an additional server license.
    • Alen_Ismic_1869's avatar
      Alen_Ismic_1869
      Icon for Nimbostratus rankNimbostratus
      I'll use high availability mode, there is two F5 BIG IP which will terminating all SSL connections.
  • As per Thawte's SSL Terms they are offering SSL certificate for single server only, means the Wildcard SSL certificate will be licensed for single server. If you need to secure website of different server you need to purchase an additional server license.

     

    The best alternative of Thawte Wildcard SSL certificate is Comodo Positive Multi domain Wildcard SSL Certificate.

     

    It will offer same security as Thawte, additionally it will let you secure your unlimited number of sub-domains on multiple server. It comes up with SAN features which lets you secure muliple Fully qualified domains.

     

    Comodo Positive Multi-Domains Wildcard SSL Certificate is the multiple solution offers security to website, multiple-domains and their unlimited sub-domains on multiple server.

     

    It's price is very much low then Thawte Wildcard SSL Certificate.