The Easiest Way To Secure Multi-level Subdomains
One of the most complicated issues facing larger companies, specifically enterprises, is securing complicated digital infrastructures that include websites with multi-level sub-domains. This kind of setup is a lot more common than you might realize.
And unfortunately, the way Wildcard SSL certificates are sold leads to an unfortunate misnomer that all of those subdomains at all those different levels can be secured with a single Wildcard certificate.
That’s not the case.
But there is a solution where you can do it all on one certificate. We’ll get to that in a moment, but first let’s diagnose the problem.
The problem with subdomains
Subdomains are a regular part of the internet at this point but securing them isn’t always as straightforward as it sounds. A Wildcard SSL certificate is marketed as being able to secure “unlimited subdomains” and that’s partially true but with the caveat that all those sub-domains must be at the same level of the URL.
And generally, that’s not a problem. But with companies that make use of multi-level subdomains in their web architecture, it can be. Especially when it’s compounded by the misperceptions about a Wildcard certificate’s functionality.
When you create the CSR for a Wildcard certificate, you place an asterisk (*) at the subdomain level you’re trying to protect. Any other sub-domain at another level, isn’t going to be able to use that certificate though. And the way that URLs branch at the second sub-domain level can make it very complicated. Let’s look at URL structure really quickly. We’ll ignore the protocol, since that should always be HTTPS moving forward and browsers are planning to stop showing it in the address bar soon.
If you want to secure a second-level subdomain you’d need to put a Wildcard before the first-level sub-domain that the second-level subdomains extend from and use the asterisk at that domain level.
So it would look like this:
Confused yet? Now think about different second-level sub-domains that extend off of varied first-level subdomains and you can see how this can all get complicated very quickly.
The answer is a Multi-Domain Wildcard SSL certificate
Much like the industry does a poor job of explaining the limitations of a standard Wildcard SSL certificate, it also kind of drops the ball on the Multi-Domain Wildcard SSL certificate, too. It’s typically presented as being for up to 250 different domains and all their (first-level) sub-domains. And it can definitely do that. But there are other use cases, too.
Another appropriate way to refer to this certificate would be a “Multi-Level Wildcard.” That’s because the Multi-Domain Wildcard is perfectly suited for helping organizations with complicated website structures that use multi-level subdomains. Let’s look at how this might play out on a CSR:
Wildcard SAN: *.domain.com
Wildcard SAN: *.mail.domain.com
Wildcard SAN: *.members.domain.com
Wildcard SAN: *.dev.domain.com
Wildcard SAN: *.domain2.com
Wildcard SAN: *.ftp.domain2.com
Wildcard SAN: *.shop.domain2.com
What you’ve effectively done with this is secure two websites, all their first level sub-domains and five sets of second-level subdomains. And it’s all with a single certificate.
This would be prohibitively expensive for most companies to do individually with Wildcards. Just from our example, you would need to use seven different certificates to accomplish what a single Multi-Domain Wildcard, or more accurately in this case, a Multi-Level Wildcard can do with just one.
This is another ideal use case for all these new-fangled Multi-Domain Wildcard products that have come on the market over the past year and a half. You might look at one with the way it’s being advertised and ask yourself, “who would ever use that?”
Now you know.
Originally posted on Tue Nov 13, 2018