Is it possible to secure multiple domains with a single certificate using wildcard domains and a SAN?
For example, one SAN certificate that secures both *.domain1.com and *.domain2.com
?
Everything I have read so far seems to indicate that you can have either a wildcard certificate (*.domain1.com) OR a SAN certificate (host1.domain1.com, host2.domain2.com), but not a combination. Is this correct?
An SSL SAN wildcard certificate is one that allows you to add multiple domains (similar to a multi-domain/SAN SSL certificate) with the added bonus of securing unlimited multi-level subdomains.
WildCard certificate protects multiple subdomains of the same Main Domain. SAN Certificate (MultiDomain) allows to include several Different Domains and their subdomains in the same SSL Certificate.
Your certificate won't go invalid on your servers unless a) it is expired based on the date range in the cert, b) it is added to a CRL (revoked), or c) installed on a server that has configured a different private key than what was used to create the CSR.
Wildcard certificates: which secure the primary domain and multiple subdomains (e.g., www.domain.com, email.domain.com, blog.domain.com). SAN SSL certificates: which secures one primary domain name and, varying by the provider, up to 500 subject alternative names (e.g., primary domains, IP addresses, common names).
Yes, it's certainly technically possible. For instance, the cetrtificate for Microsoft Outlook Web Access (https://outlook.office365.com) was issued to outlook.com, and has a combination of wildcarded and non-wildcarded names in the SAN section:
DNS Name=outlook.com
DNS Name=*.outlook.com
DNS Name=office365.com
DNS Name=*.office365.com
DNS Name=*.live.com
DNS Name=*.internal.outlook.com
DNS Name=*.outlook.office365.com
DNS Name=outlook.office.com
DNS Name=attachment.outlook.office.net
DNS Name=attachment.outlook.officeppe.net
Of course, as pointed out above, this cert was issued by Microsoft themselves, so they can pretty much do what they want.
I assume you use want to use the certificate for HTTP. In this case you need to look at RFC 2818. This RFC clearly defines that common name should only be used if no subject alternative names are configured, but it allows wildcards certificates in the SAN extension. So it should be possible to combine several non-wildcard and wildcard certificates inside the SAN part of the certificate.
It looks like various CAs have different policies about creating certificates mixing wildcard and non-wildcard: While Thawte argues that mixing is not possible (https://community.thawte.com/blog-posts/difference-between-wildcard-ssl-vs-san-certificate) DigiCert propagates it as the best of both worlds (http://www.digicert.com/ssl-support/wildcard-san-names.htm). So it seems to be more a limitation of the CAs and not of the browsers and definitely not of the standard.
Generally, a domain name or URL requires just one certificate to be secure. But what if you need to secure multiple domains? How can you manage their security without sacrificing budget and time?
Securing Multiple Domains
Securing multiple domains can be achieved with 2 approaches, Wildcard certificates and Unified Communications Certificates (UCC), also known as SAN (Subject Alternative Name). SAN lets you specify additional host names (sites, IP addresses, common names, etc.) to be protected by a single SSL Certificate, while a Wildcard certificate can support a single domain and an unlimited number of first-level subdomains. SAN/UCC can also be combined as an extension with a Wildcard to add functionality to the certificate. You can combine these two certificates as a Multi-domain Wildcard SSL Certificate depending on your needs. This makes managing the security of multiple websites much easier and cheaper than managing a separate SSL certificate for every domain you own.
Read More:Securing Multiple Domains with SAN/UCC Certificates
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With