Skip to content Skip to site navigation Skip to service navigation

SSL Wildcard Certificates

Using Wildcard Certificates

A "wildcard" SSL certificate is a certificate that matches any fully-qualified domain name of a subdomain. For example, "example.stanford.edu" is a subdomain of "stanford.edu".

The certificate that contains "*.example.stanford.edu" is an example of a wildcard certificate. This certificate can be used on any server whose hostname is in the "example.stanford.edu" domain, e.g, "www.example.stanford.edu", "mail.example.stanford.edu", or "ftp.example.stanford.edu". Note that only one level of subdomain is matched, so "*.example.stanford.edu" does not match "www.email.example.stanford.edu".

When to use Wildcard Certificates

In the past people have used wildcard certificates as a way to save money by avoiding buying multiple certificates. At Stanford, we pay a flat-rate for all of our certificates from InCommon, so cost is no longer an issue. There is also a security consideration when using a wildcard certificate: if the private key associated with that wildcard certificate is compromised, then all servers using that wildcard certificate are vulnerable. Thus, we strongly discourage the use of wildcard certificates except in those cases where there is a technical need for them.

Requesting a Wildcard Certificate

If you decide that you really do need a wildcard certificate, please follow this process to request one; in the following we will assume a request for a wildcard certificate for the subdomain "example.stanford.edu".

  1. If your domain is not already a subdomain of an existing domain in NetDB, you will need to register your new domain by following the Internet Domain Name Registration Guidelines.
  2. Register your subdomain in NetDB as a "domain" object. To do this, submit a HelpSU ticket to the Networking group.
  3. After getting your NetDB domain created, create a NetDB "node" object with the name of the subdomain. This node does not need to have any IP address associated with it.
  4. Once your subdomain is registered in NetDB, create a certificate signing request (CSR) with "example.stanford.edu" as the subject; do not make "*.example.stanford.edu" the subject or the request will fail.
  5. Go to the SSL Request Form and submit your request. Be sure to put "*.example.stanford.edu" as a Subject Alternative Name in the form.
  6. You should receive your certificate within 5 business days.

 

Last modified September 15, 2020