Wildcard SSL Certificates: Second Level Domains

TL;DR

Yes, a wildcard SSL certificate can be issued for a second-level domain (e.g., *.subdomain.example.com). However, it’s less common and requires careful planning with your Certificate Authority (CA) as some have restrictions or specific validation requirements.

Understanding the Issue

Wildcard SSL certificates typically secure a domain and all its direct subdomains (e.g., *.example.com). Securing a second-level subdomain requires understanding how your CA handles these requests. It’s not automatically supported by every provider.

Step-by-Step Guide

1. Check Your Certificate Authority’s Policy: This is the most important step. Each CA (Let’s Encrypt, Sectigo, DigiCert, etc.) has its own rules.
   • Visit your CA’s documentation or support pages. Search for “wildcard SSL second-level domain” or similar terms.
   • Contact their support team directly if the information isn’t clear. Ask specifically if they allow wildcard certificates on second-level domains and what validation is required.
2. Generate a Certificate Signing Request (CSR): You’ll need to create a CSR for the specific subdomain you want to secure.

   The process varies depending on your web server (Apache, Nginx, IIS). Here’s an example using OpenSSL:

   openssl req -new -newkey rsa:2048 -nodes -keyout subdomain.example.com.key -out subdomain.example.com.csr

   Make sure to use the full second-level domain (e.g., subdomain.subdomain.example.com) as the Common Name when creating the CSR.

3. Submit the CSR to Your CA: Follow your CA’s instructions for submitting the CSR.
   • Most CAs have an online portal or require you to email the CSR file.
4. Domain Validation: This is where things can differ.
   • DNS Record Validation (Common): The CA will likely ask you to add a specific DNS record (TXT or CNAME) to your domain’s DNS settings, proving you control the subdomain. Follow their exact instructions for the record name and value.
   • Email Validation: Some CAs may send an email to an address associated with the domain.
   • HTTP File Validation: You might need to place a specific file on your web server at a designated location.
5. Install the Certificate: Once validation is complete, download the SSL certificate from your CA.

   Follow your web server’s instructions for installing the certificate and private key.

   • Typically involves configuring your virtual host settings.
6. Test Your Installation: Verify that the certificate is installed correctly using an SSL checker tool.

   Examples include:

   • SSL Shopper
   • DigiCert SSL Installation Checker

Important Considerations

• CA Restrictions: Some CAs may not allow wildcard certificates on second-level domains at all, or they might require more stringent validation.
• Wildcard Scope: A certificate for *.subdomain.example.com will secure subdomains like blog.subdomain.example.com and shop.subdomain.example.com but not example.com or subdomain.example.com directly.
• Security Best Practices: Keep your private key secure! Compromised keys can lead to serious security breaches.