Wildcard certificate

From Infogalactic: the planetary knowledge core
Jump to: navigation, search

Lua error in package.lua at line 80: module 'strict' not found.

An example of a wildcard certificate on https://plus.google.com (note the asterisk: *)
An example of an EV certificate acting as a wildcard certificate on https://www.ssl.com (note the Subject Alternative Name (SAN) field)

In computer networking, a wildcard certificate is a public key certificate which can be used with multiple subdomains of a domain. The principal use is for securing web sites with HTTPS, but there are also applications in many other fields. Compared with conventional certificates, a wildcard certificate can be cheaper and more convenient than a certificate for each domain.[1]

Analogy

One analogy is that of a public notary which issues a public validation of a person's identity. An individual wishing to have her identity validated would submit her own name and some evidence of her residence and existence. The public notary would sign a document asserting the identity of the individual for a fee. The notary would risk his professional accreditation in doing so, which would presumably lead to a reasonable assessment of the person's identity as verified. Since the public could place some trust in a practicing lawyer doing such, the certification is an indication of the validity of the person's identity. In the computer realm, an individual website www.wikipedia.org is the person and the certification authority is the notary public.

The analog of a wildcard certificate would be as follows. During the same meeting, the person represents that they have several unidentified children. They also would like the notary public to certify all of those children as existing persons. The notary public at the same time signs a number of blank letters with empty spaces for the names of the children, and in that letter states that the certification is valid if there is DNA matching the person's own. A wildcard certificate would enable the person to represent to the public those children of the same surname and lineage, with the same force as their own identity. In this analog the Internet DNS is the DNA match. Since the person controls their own DNA it is unlikely they could represent a child as their own without a DNA match

Example

A single wildcard certificate for *.example.com, will secure all these domains:[2]

  • payment.example.com
  • contact.example.com
  • login-secure.example.com
  • www.example.com

Instead of getting separate certificates for sub domains, you can use a single certificate for all main domains and sub domains and save your money.[3]

Because the wildcard only covers one level of subdomains (the asterisk doesn't match full stops),[4] these domains would not be valid for the certificate:

  • test.login.example.com

The "naked" domain is valid when added separately as a SubjectAltName:[5]

  • example.com

Note possible exceptions by CAs, for example wildcard Plus cert by DigiCert contains an automatic "Plus" property for the naked domain example.com

Brief information about wildcard ssl certificate.

Limitation

Only a single level of subdomain matching is supported.[6]

It is not possible to get a wildcard for an Extended Validation Certificate.[7] A workaround could be to add every virtual host name in the Subject Alternative Name (SAN) extension,[8][9][10] the major problem being that the certificate needs to be reissued whenever a new virtual server is added.[11]

Wildcards can be added as domains in multi-domain certificates or Unified Communications Certificates (UCC).[12] In addition, wildcards themselves can have subjectAltName extensions, including other wildcards. For example: The wildcard certificate *.wikipedia.org has *.m.wikimedia.org as a Subject Alternative Name. Thus it secures https://www.wikipedia.org as well as the completely different website name https://meta.m.wikimedia.org.[13]

RFC 6125 argues against wildcard certificates on security grounds.[14]

References

  1. Lua error in package.lua at line 80: module 'strict' not found.
  2. Lua error in package.lua at line 80: module 'strict' not found.
  3. Lua error in package.lua at line 80: module 'strict' not found.
  4. Lua error in package.lua at line 80: module 'strict' not found.
  5. Lua error in package.lua at line 80: module 'strict' not found.
  6. Wildcard SSL certificate limitation on QuovadisGlobal.com
  7. Lua error in package.lua at line 80: module 'strict' not found.
  8. x509v3_config-Subject Alternative Name
  9. The subjectAltName field
  10. The SAN option is available for EV SSL Certificates on Symantec.com
  11. Need to be reissued whenever a new virtual server is added
  12. Wildcard domains can be used within UCC on SSL.com
  13. SSLTools Certificate Lookup of Wikipedia.org's wildcard ssl certificate
  14. Lua error in package.lua at line 80: module 'strict' not found.

Relevant RFCs

  • Lua error in package.lua at line 80: module 'strict' not found.
  • Lua error in package.lua at line 80: module 'strict' not found.
  • Lua error in package.lua at line 80: module 'strict' not found.
Retrieved from "https://infogalactic.com/w/index.php?title=Wildcard_certificate&oldid=721679361"