Regarding Wildcard Certificates and Complex Cases


#1

So first of all, this isn’t really a feature request, but I wasn’t sure how else to file this since it’s discussing an upcoming feature. If this is the wrong place I’d appreciate if it could be tagged wherever is most relevant!

Anyway, I’m very much looking forward to being able to request wildcard domains to significantly simplify setup for many of my sites, as currently I have to gather a list of multiple domains and request them either as individual or combined certificates, which is a bit of a pain.

However, there’s one new case that I’m looking forward to investigating that wildcards ought to make possible, but I have some questions about how it will work. Basically, assume I have a domain with various sub-domains for different purposes, e.g- www.example.org, mail.example.org, webmail.example.org and so-on, and I’d like to use a wildcard certificate for *.example.org to make it easier to change sub-domains in future. Perfectly normal so far.

Now, I also want to handle uploaded user content, and my current ideal scheme for doing so is to use domains such as haravikk.files.example.org; a bit unwieldy I know, but this avoids potential issues with things like cookies and cross-site scripting, as it’s much easier to lock everything down at a sub-domain level, and is easy to handle in nginx by simply matching the username part of the sub-domain (or sub-sub-domain, I’m unclear on the term for going deeper). So to allow SSL for these sub-domains, I’d also need a wildcard certificate for *.files.example.org.

What I’m wondering is; will this work with essentially two different levels of wildcard certificate (i.e- does *.example.org also match haravikk.files.example.org or does it only match files.example.org?).

I suppose the obvious related question is; does it even matter? Am I just over-complicating things by looking at using two different wildcards for this, should I just one for the entire site (if I can)?


#2

The askerisk is valid for one dns label only, so *.example.com matches foo.example.com, bar.example.com but not foo.bar.example.com.


#3

One certificate can include both the names *.example.org and *.files.example.org, though.

(By the way, wildcards don’t cover the parent name. In other words, you need to also include example.org if you want https://example.org/ to work.)

If you want to see a certificate with a lot of wildcards, look at Google: https://crt.sh/?id=239071376


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.