cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
779
Views
1
Helpful
4
Replies

Wildcard Certificates for Secondary Root Domains

Moses Hernandez
Cisco Employee
Cisco Employee

I have a customer who has a wildcard certificate. Let's says it's:

*.bar.com

They have ISE implemented in multiple SubDomains so lets say they have:

ise1.foo.bar.com

Would *.bar.com match on hosts in the foo.bar.com subdomain? I've looked all over the place on the internet and the guidance in many places is completely unclear. We are trying to chase if this is a bug or not.

1 Accepted Solution

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee

No you would need to have a wildcard *.foo.bar.com<http://foo.bar.com>

And this would be best practice as well because if this was compromised you could revoke it and not. Have to revoke foo.com<http://foo.com>

No bug here

Sent from my iPhone

View solution in original post

4 Replies 4

hslai
Cisco Employee
Cisco Employee

No, I do not think it would work. The wildcard certificates need the specific subdomains in them to allow the hostname/FQDN match.

Can I Create a *.subdomain.domain.com Wildcard? How About *.*.subdomain.com? - SSL.com has more info.

Jason Kunst
Cisco Employee
Cisco Employee

No you would need to have a wildcard *.foo.bar.com<http://foo.bar.com>

And this would be best practice as well because if this was compromised you could revoke it and not. Have to revoke foo.com<http://foo.com>

No bug here

Sent from my iPhone

Ping Zhou
Level 8
Level 8

Hey Moses,

How-to 103 guide, on page 16 of 29.

"””

If you configure a Wildcard Certificate to use *.securitydemo.net, that same certificate may be used to secure any host

whose DNS name ends in “.securitydemo.net”, such as:

• aaa.securitydemo.net

• psn.securitydemo.net

• mydevices.securitydemo.net

• sponsor.securitydemo.net

A wildcard is only valid in the host field of the fully qualified domain name (FQDN). In other words,

*.securitydemo.net would not match ise.aaa.securitydemo.net, because the wildcard value was not in the host portion

of the FQDN.

"“”

hope this helps

Moses Hernandez
Cisco Employee
Cisco Employee

Jason,

  Appreciate it. Here is what I can tell from different sources on the internet, of which few are clear:

- The SSL Certificates for a *.domain.tld does not match subdomains such that *.*.domain.tld wouldn't work.

- You can try and use a UCC Cert or SAN Cert to attempt to do:

     *.domain.tld

     *.subdomain.domain.tld

     *.subdomain2.domain.tld

    However this may be rather expensive, and or not efficient.

- Customer has another option to dedicate a seperate interface (eth1) for the guest portal and provide a DNS name (which can be served by the local dns server) such that the guest portal appears to come from *.domain.tld

Thanks for the guidance everyone.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: