Wildcard : are subdomains automatically put on https?


#1

Hello,

Little question about let’s encrypt wildcard available in january 2018.

I don’t know how really works a wildcard certificate, will subdomains be automatically on https with that kind of certificate ?

When we create subdomains on the fly, is there any specific operation to have https on new subdomains ?

Thanks a lot for your answer :slight_smile:
Robin


#2

Yes: https://en.wikipedia.org/wiki/Wildcard_certificate
A wildcard certificate for *.example.com will be valid for any subdomain on .example.com.


#3

As you’ve probably discovered (or you can go look now with any certificate inspecting tool of your choice, many web browsers have something built in), ordinarily certificates have a list of names inside them, for example a certificate might say it’s for

www.example.com
example.com
cat-photos.example.com
mail.example.com

This certificate will be suitable for a service offering any (or all) of those names, but it would cause errors or some warning to the end user if you tried to use it for a service named, say, www.example.org because that’s not on the list.

Wildcard certificates say something like *.example.com as a name. The asterisk matches any one DNS label at the left hand of the name, that’s basically any part of the name that doesn’t have a dot in it. So *.example.com would match www.example.com, and mail.example.com and cat-photos.example.com but not www.example.org, or example.com (not enough dots) or say, database.internal.example.com (too many dots). This use of an asterisk is called a “wildcard”

However, you will still need to configure (web) servers for any new names and set them to present the certificate, it is possible that the Certbot software will be updated to help with this, but probably if you’re creating new subdomains on the fly you’ll need to arrange as part of that to use HTTPS for them, and to present the Wildcard certificate to visitors as proof you control these new names.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.