Please support wildcard certificates

easily code that @Jason

If you are a developer maybe you can contribute?

i can test a bit without wildcards. to go more than mild playing, i need altnames. in a few cases, to scale out, i need wildcards. i do understand “certs are cheap just ask for them.” from the CA point of view. but services and server scaling are another world.

Wildcards are important for SaaS (multitenant) scenarios.

For example when a new customer acme signs up for the (imaginary) happyhire recruiting service, they would typically be given their new careers site at acme.happyhire.com.

Some SaaS systems have thousands of customers.

On one hand, a thousand customer company can afford to buy a wildcard cert.

But compounding this is microservices. What used to be a monolithic app will soon instead be a collection of tens or hundreds of small apps.

Those apps communicate with each other via REST api calls over the internet.

They all need wildcard certs of their own.

This is all top of mind for me right now because we’ve shelled out a few $k for wildcard certs this month and we have a lot more we need to buy.

Please support wildcards!!

+1 for wildcard support.

Another argument for wildcard certs would be a privacy one: When using a wildcard cert an attacker which listens on the network cannot get out what subdomain the user is connecting to.

4 Likes

+1 for wildcard support

That only works when SNI is not used by the client. What does work is wildcard OR multi-domain certificates securing a h2 connection - you can send requests for all domains over the same connection.

5 Likes

Someone is going to talk about DNS sooner or later and how you see what domain you are requesting, but with DNSCrypt (which many people are using) the DNS query is encrpyted and someone passively following network traffic will only see the target IP.

Okay, yes you're right - multiple-domains should also does this.

Yeah, DNS queries are a completely different thing of course. And yes DNSCrypt is a really nice system.

1 Like

Again, the critical part is "securing a HTTP/2 (h2) connection" - the h2 spec allows you to send requests for all domains listed in the certificate, so the network viewers can only see the first domain you connected to in the clear.

1 Like

+1 for wildcard support

+1 for wildcard support.

Hi folks, could you please stop posting “+1” responses to this thread? We’re aware that there are thousands of prospective users who would like wildcard certificates and that some of them have use cases that can’t be satisfied without wildcard certificates.

Nonetheless, we are unfortunately unable to support wildcard certificates, at least at the outset, and seeing additional “+1” replies won’t change that. I’m sorry for the inconvenience.

12 Likes

@eva2000 which product? GoDaddy Standard Wildcard SSL? I don’t see any other that is under $55 other than that one.

GoGetSSL resellers get an additional brand called GGSSL standard and wildcard SSL certificates which are essentially Comodo signed and backed SSL certs

GGSSL wildcard on centminmod.com

testssl centminmod.com:443

TLS server extensions        renegotiation info, EC point formats, session ticket, status request
 Session Tickets RFC 5077     3600 seconds
 Server key size              2048 bit
 Signature Algorithm          SHA256 with RSA
 Fingerprint / Serial         SHA1 8CCB5CAA6066F2321A6FE8ED37920B7687CFBE39 / 623CBC1C62FD9C08BD83C9F033B009C8
                              SHA256 F9B041F7F6ACB1503FB68592B7F0B972D47683402DA2A5D30BAFCF9B70405E88
 Common Name (CN)             *.centminmod.com (wildcard certificate match) (CN in response to request w/o SNI: *.centminmod.com)
 subjectAltName (SAN)         *.centminmod.com centminmod.com 
 Issuer                       COMODO RSA Domain Validation Secure Server CA (COMODO CA Limited from GB)
 EV cert (experimental)       no 
 Certificate Expiration       >= 60 days (2014-08-14 00:00 --> 2017-08-13 23:59 +0000)
 # of certificates provided   3
 Certificate Revocation List  http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
 OCSP URI                     http://ocsp.comodoca.com
 OCSP stapling                offered

Came here looking for this. Absolutely a great reason that could save libraries $$$

+1 for this.

It’s a whole different dimension for me.
I’m not just managing websites and it’s subdomains, I’ve got different domains from different projects, sometimes with different people in the lead to manage (which prefer to keep security and such to people that know their stuff), so using wildcards comes in as second nature to keep me sane…

Even though it may sound pretty large scale it’s just using the otherwise unused server resources to help some people. (Many small things count up with the time)

So it’s a requirement for me to even consider switching to this service.
Though the basic idea is really interesting and I can’t wait to see what’ll happen once it’s out in the wild so kudos for providing this in the first place.

2 Likes

Does anybody know where to find compiled list what features each CA supports exactly?

I’ve checked with GoDaddy few days ago:
GD support RSA keys only, no ECC.
GD cannot combine wildcard and UC/SAN into single certificate. It might be rarely needed, but still.
GD won’t allow certs with different key OR different key types for a “single purchase”. We do use ECC + RSA certs as a F5 hybrid certificate.
All above is provided by DigiCert, for the premium price of course.

for ECC 256bit SSL certs, only know of Comodo (including GoGetSSL GGSSL brand SSL certs) and Symantec ECC offered SSL certificates that support them

so if you want ECC 256bit SSL now, Comodo SSL certs is best bet - it’s what i run for sslspdy.com with GGSSL/Comodo wildcard https://sslspdy.com/

eva2000,
Thanks for your answer!
Could you clarify a bit, please:
For you current certificate purchase for sslspdy.com domain, can CA issue 2 certificates with RSA and EC keys, active at the same time?
Or you have to buy them separately?