Should a wildcard SSL certificate secure both the root domain as well as the sub-domains?
Solution 1:
There's some inconsistency between SSL implementations on how they match wildcards, however you'll need the root as an alternate name for that to work with most clients.
For a *.example.com cert,
a.example.comshould passwww.example.comshould passexample.comshould not passa.b.example.commay pass depending on implementation (but probably not).
Essentially, the standards say that the * should match 1 or more non-dot characters, but some implementations allow a dot.
The canonical answer should be in RFC 2818 (HTTP Over TLS):
Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g.,
*.a.commatches foo.a.com but not bar.foo.a.com.f*.commatches foo.com but not bar.com.
RFC 2459 says:
- A "*" wildcard character MAY be used as the left-most name component in the certificate. For example,
*.example.comwould match a.example.com, foo.example.com, etc. but would not match example.com.
If you need a cert to work for example.com, www.example.com and foo.example.com, you need a certificate with subjectAltNames so that you have "example.com" and "*.example.com" (or example.com and all the other names you might need to match).
Solution 2:
You're correct, the root domain needs to be an alternate name for it to validate.
Solution 3:
Every SSL provider I have ever used will automatically add the root domain as a Subject Alternative Name to a wildcard SSL certificate, so DOMAIN.COM will work automatically for a *.DOMAIN.COM wildcard cert.
Solution 4:
Basically, and for your needs (that started this whole thread) your wildcard certificate should be specified as both root AND first-level wildcards:
"example.com, *.example.com"
This way, a single wildcard certificate will cover both the root domain (example.com) AND any first-level subdomains (sub1.example.com, sub2.example.com, ...)
A certificate in the form of "*.example.com" MUST have a sub-domain name. Thus the root domain is explicitly excluded since the asterisk does not accept NULL as a valid name.
TIP: Free Let's Encrypt (LE) certification authority allows this. Not all Certification Authorities abide to multilevel wildcards. You should always check with your CA provider.