Wildcard certificate

src: i.ytimg.com

On a computer network, wildcard certificates are public key certificates that can be used with multiple domain subdomains. Its primary use is to secure websites with HTTPS, but there are also applications in many other fields. Compared with conventional certificates, wildcard certificates can be cheaper and more convenient than certificates for each subdomain.

Video Wildcard certificate

Contoh

Satu sertifikat wildcard untuk https://*.example.com akan mengamankan semua subdomain ini pada https://*.example.com domain:

• payment.example.com
• contact.example.com
• login-secure.example.com
• www.example.com

Instead of getting separate certificates for subdomains, you can use one certificate for all major domains and subdomains and reduce costs.

Since wildcards only include one subdomain level (asterisks do not match the full stop point), this domain will not apply to certificates:

• test.login.example.com

The "naked" domain applies when added separately as Subject Alternative Name ( SubjectAltName ):

• example.com

Note the possible exception by CA, for example wildcard-plus cert by DigiCert contains automatic "Plus" property for plain domains . com .

Maps Wildcard certificate

Limitations

Only one level of matching subdomain is supported.

It is impossible to get a wildcard for the Extended Validation Certificate. A solution can be to add each virtual host name in the Alternate Subject Name (SAN) extension, the main problem being that the certificate needs to be reissued each time a new virtual server is added. (See Transport Layer Security Ã,§ Support for name-based virtual servers for more information.)

Wildcards may be added as domains in a multi-domain certificate or Integrated Communications Certificate (UCC). Additionally, wildcards themselves can have subjectAltName , including other wildcards. For example, a wildcard certificate *. Wikipedia.org has *. m.wikimedia.org as the Subject Alternative Name. So this secures www.wikipedia.org and the name of the website is completely different meta.m.wikimedia.org .

RFC 6125 argues against wildcard certificates on a security basis.

src: herodestroyed.info

Example

Wildcards only apply to one domain name label only.

label.label.label.TLD

*. domain.com is OK. This will match www.domain.com but not domain.com and not zzz.www.domain.com

Wildcards may appear anywhere inside the label (aka "partial-wildcard")

f *.domain.com is OK. This will match frog.domain.com but not frog.super.domain.com

baz *.example.net is OK and matches baz1.example.net

* baz.example.net is OK and matches foobaz.example.net

b * z.example.net is OK and matches buzz.example.net

Do not allow labels that are composed entirely of wildcards unless they are the leftmost label

sub1. *. domain.com is not allowed.

Certificates with multiple wildcards in names are not allowed.

*. *. domain.com

Certificates with * plus top level domains are not allowed.

*. com

Too general and should not be allowed.

*

The international domain name encoded in ASCII (label-A) is an ASCII encoded label and begins with xn - .

Do not allow wildcards in international labels.

xn--caf-dma.com is cafÃÆ' Â ©.com

xn - caf-dma *.com is not allowed

Lw *.xn - caf-dma.com is allowed

src: i.stack.imgur.com

References

src: blog.geist.no

Relevant RFC

• "RFC 2595 - Using TLS with IMAP, POP3 and ACAP". Internet Engineering Task Force. June 1999. p.Ã, 3.
• "RFC 2818 - HTTP Over TLS". Internet Engineering Task Force. May 2000. p.Ã, 5.
• "RFC 6125 - Identity Representation and Identification of Domain Based Application Services in Public Internet Key Infrastructure Using X.509 Certificate (PKIX) in the Transport Layer Security Context (TLS)". Internet Engineering Task Force. March 2011.

Source of the article : Wikipedia