1

I have purchased a wildcard ssl certificate from RapidSSL and trying to set it up. Essentially I want to be able to use it as:

  • example.com

  • app.example.com

  • *.app.example.com

and that'd be also good if I can use on staging.app.example.com on another server (test server).

I have made it work on app.example.com but it doesn't work on others.

Also, after doing some reading this and that, I have learnt how it is done on definite routes but how about wildcard?

senty
  • 135
  • 1
    wildcards are not recursive and I do not believe rapidssl offers multi-wildcard domains. You can check with digicert (who stack exchange uses) or just use something like Letsencrypt and get certs issued on demand for the names you need, up to 100 SANs per cert. – Jacob Evans Dec 06 '17 at 23:22
  • @JacobEvans In fact, I want the asterisk in *.app.example.com to be dynamic such as username. And with this scenario, I won't be able to register a cert for each one of them. What do you think I should do? – senty Dec 06 '17 at 23:57
  • Yes you can absolutely request a wildcard cert for *.app.example.com, I'd still suggest you get an LE cert (wildcard support coming 2018) – Jacob Evans Dec 06 '17 at 23:59
  • I have already purchased wildcard cert from RapidSSL. In your last comment I realised something: I should register my domain as *.app.example.com in the certificate, instead I registered as *.example.com, so it only worked on app.example.com but not staging. Is that right? But if so, how about example.com? – senty Dec 07 '17 at 00:01
  • example.com is not covered by *.example.com however MANY CAs will add that SAN – Jacob Evans Dec 07 '17 at 00:04
  • you can likely re-issue the cert with a new CSR containing the proper wildcard domain. – Jacob Evans Dec 07 '17 at 00:04
  • I will but I am a bit confused. As far as I understand, I should create 3 different ones: *.app.example.com, example.com, and *.staging.app.example.com. Is that right? – senty Dec 07 '17 at 00:05

1 Answers1

3

Most CA's will issue either a MultiDomain SSL or a single Wildcard cert.

So you would need (2) Certs to cover those 3 domains.

1) example.com, www.example.com 2) app.example.com, *.app.example.com

staging.app.example.com is covered by *.app.example.com but user.staging.app.example.com is not.

I've suggested using - hyphens instead in some cases, such as user-staging.app.example.com

I say most, as you can request these from Digicert and some others.

Cert 1 Generation with OpenSSL)

openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout example.com.key -subj "/C=US/ST=Virginia/O=Company Name/OU=Web Security/CN=example.com" -config <(
cat <<-EOF
[req]
default_bits = 2048
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
EOF
)

Cert 2 Generation with OpenSSL)

openssl req -new -newkey rsa:2048 -nodes -sha256 -keyout example.com.key -subj "/C=US/ST=Virginia/O=Company Name/OU=Web Security/CN=example.com" -config <(
cat <<-EOF
[req]
default_bits = 2048
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = app.example.com
DNS.2 = *.app.example.com
EOF
)
Jacob Evans
  • 8,006
  • And (3) certs if I need to enable *.staging.app.example.com? – senty Dec 07 '17 at 00:03
  • 1
    yeah, unless you don't use . to split out your subdomains and use - instead. – Jacob Evans Dec 07 '17 at 00:06
  • I have a quick question about your answer: Normally, I generate the CSR with openssl genrsa -out csr.key 2048 command and it was asking me some questions to fill. Your method seemed a bit complex to me. If I am using the answer questions method, in common name, do I need to write *.app.example.com app.example.com without any comma or do I write only one of them? This guide – senty Dec 07 '17 at 00:12
  • You can do it that way, my one-liner is pretty easy to change the variables to fit your specifics. – Jacob Evans Dec 07 '17 at 00:41