New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
What kind of SSL certificate for multi-level wildcard?
elwebmaster
Member
I need to secure *.*.mydomain.com what kind of certificate do I need? I tried AlphaSSL wildcard *.mydomain.com but Chrome doesn't take it. Is it possible to create a CSR with two asterisks in it or how do I get such certificate? Both levels can be anything, I don't know the possible subdomains that may be used.
Comments
You will need different wildcard certificates for different levels of domains/sub-domains. One for * . mydomain.com & other for * . subdomain.mydomain.com. There is nothing like * . * . mydomain.com in the SSL world. If you need a single certificate to secure both/multiple levels of sub-domains, you can go the SAN/UCC way which covers:
But such a certificate would be much much dearer with the SSL issuer charging a good amount for every wildcard domain/sub-domain that you add.
Thats right ... not sure why you want to keep the domain and sub domains structure so complicated as more the subdomain more the charges the SSL provide will charge.
Keep the domain and subdomain structure simple.
4th level domains - forget about affordable SSL.
See StackOverflow case.
Currently I am doing it with LetsEncrypt but it is not ideal. I need to know beforehand both the 3rd and 4th level domains, which from business point of view is very limiting. The 3rd level domain:
xyz.mydomain.com
is not a big deal to know (although there will be a lot of them), but the 4th level I really need a wildcard for. The only way I can think of to economically do this is through SingleHop and AlphaSSL. If I could script the email verification part then I could issue a wildcard certificate for every subdomain (*.xyz.mydomain.com) and this could work. If it worked with DNS or HTTP-based verification (like I am doing with LetsEncrypt right now) that would be much easier.
How does Cloudflare do it? I know they have more cash to spare, I am just thinking from technical point of view what my options may be in the longer term.
They seem to have missed the idea of using SNI to choose between SAN certificates for the 3rd level. They could also reorganize their meta sites as .meta.stackexchange.com instead of meta..stackexchange.com etc.
@elwebmaster how many total domains are you talking about? How many 3rd level? Can you just use single domain LetsEncrypt for everything? Are they all public-facing web sites, and if not, can you use a private CA?
All public facing. One subdomain per customer project. So the question is how many customers I will have and how big they will be. I have thought of other ways to work around it (like using a path instead of 4th level domain) but it isn't really feasible. I considered putting the full subdomains into Cloudflare but it doesn't save much effort compared to just requesting another cert from LetsEncrypt.
I guess I could use a "-" instead of "." to work around the 4th level subdomain, but it looks kind of ghetto...and it makes it harder to do load-balancing. The way I have it, I can just add a DNS record *.projectX.domain.com pointing to a known IP and as long as that server can handle the projects it has everything is cool. With "-" (assuming I don't know the 4th level) I will have to put a *.domain.com DNS record and provision some massive loadbalancer(s) to distribute requests to the right project backend.
Well is this millions of projects? Will customers spawn new ones without your involvement? If you're doing billable development for these customers, the cost of a Comodo wildcard cert per customer isn't enormous ($42 reseller price at Gogetssl, sold under gogetssl brand but it's a normal Comodo certificate). Gogetssl has a reasonable API to put the requests through and you can use DNS authentication etc. Or you could have an automated LetsEncrypt client generate single domain certs if there's less than, say, a few thousand of them.
Hallelujah, you have arrived at the only sensible solution on your own. Just stop being such an insufferable pedant and realize that projectX-thing.domain.com is just as good as thing.projectX.domain.com.
It does make sense for now. Once I get to over 1000 projects may be I will look into the options again
You cannot use SSL certificate on such . (two asterisk ) query. If you want to protect multiple levels of sub-domains with single certificate then Multi-Domain Wildcard certificate would be the best choice. It will give you facility to protect;
as well as,
I would like to suggest one article explaining difference between SAN and Wildcard SSL.
Yea, 3 digits for wildcard UCC plus like 500+ for the initial cert...
They just use SAN, in some cases wildcard but in most this is just simple SNI and certs with like 100 subdomains, thousands of them. CF has a special deal and does not pay per single cert, they also have their own verification backend with the suppliers.