Wildcard for second level subdomain

Asked 14/12, 2017 at 10:31 Answered 7/7, 2021 at 9:3

Solved amazon-web-services ssl-certificate subdomain wildcard-subdomain aws-certificate-manager

AWS Certificate manager isn't allowing me to add a 2 level wildcard domain name, which would match x.a.example.com, y.b.example.com etc.

Is there a workaround for this? (instead of creating *.a.example.com, *.b.example.com etc)

Pike answered 14/12, 2017 at 10:31 Comment(3)

No, there is no other way. In x.509 certificates, wildcard can cover only single subdomain level and can be only the leftmost character. – Elzaelzevir 14/12, 2017 at 12:17

You can use SAN and add each subdomain to the same cert. A bit of a pain, but better than multiple certs. – Bertold 14/12, 2017 at 16:14

Note for people arriving here: Google Chrome caches SSL certificates. So if you changed your certificate from *.example. to *.a.example.com and Chrome still says your certificate is invalid, it's probably still the old one (you can click on the padlock on the left of the URL and check what certificate Chrome sees for your site). If it's still the old one, you can refresh the cache a few times. – Shopper 24/9, 2020 at 19:8

Source: http://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html

Wildcard Names ACM allows you to use an asterisk (*) in the domain name to create an ACM Certificate containing a wildcard name that can protect several sites in the same domain. For example, *.example.com protects www.example.com and images.example.com.

Note: When you request a wildcard certificate, the asterisk (*) must be in the leftmost position of the domain name and can protect only one subdomain level. For example, *.example.com can protect login.example.com and test.example.com, but it cannot protect test.login.example.com. Also note that *.example.com protects only the subdomains of example.com, it does not protect the bare or apex domain (example.com). However, you can request a certificate that protects a bare or apex domain and its subdomains by specifying multiple domain names in your request. For example, you can request a certificate that protects example.com and *.example.com.

Unfortunately this is not possible/supported.

Parahydrogen answered 14/12, 2017 at 14:9 Comment(1)

Okay. But what about multiple subdomains and only one wildcard? like "*.preview.site.com" – Waterway 15/11, 2023 at 5:43

For those who are having issues for multiple sub domain in their certificate.

Source: https://aws.amazon.com/premiumsupport/knowledge-center/associate-ssl-certificates-cloudfront/

You can't associate more than one SSL or Transport Layer Security (TLS) certificate to an individual CloudFront distribution. However, certificates provided by AWS Certificate Manager (ACM) support up to 10 subject alternative names, including wildcards. To enable SSL or HTTPS for multiple domains served through one CloudFront distribution, assign a certificate from ACM that includes all the required domains.

To use your own SSL certificate for multiple domain names with CloudFront, import your certificate into ACM or the AWS Identity and Access Management (IAM) certificate store. For instructions, see Importing an SSL/TLS Certificate.

Estevez answered 7/7, 2021 at 9:3 Comment(0)

You can have Subject Alternative Names or SANs in the certificate for named domains: https://geekflare.com/san-ssl-certificate/

Certificate Signing Request or CSR generation would be something like this:

openssl req -new -key my.key -out my.csr -subj "/CN=*.domain.com" -addext "subjectAltName=DNS:one.complex.domain.com,DNS:completely.another.domain.com"

More details here: https://mcmap.net/q/143223/-wildcard-ssl-on-sub-subdomain-closed

Indamine answered 29/9, 2020 at 9:55 Comment(1)

Great link, but just FYI to users the san.cnf file is required too. – Coronal 22/5, 2021 at 23:11

Recommended topics

Hot tags