Tag Archives: multi-domain SSL

Wildcard EV SSL Certificates — Are They Possible?

1 Star2 Stars3 Stars4 Stars5 Stars (9 votes, average: 4.11 out of 5)
Loading...

Here’s why finding a Wildcard EV SSL certificate is as elusive as unicorns and Big Foot

Throughout history, explorers have searched for lands and creatures described in epic proportions in mythology. Everything from Sir Walter Raleigh’s search for El Dorado, the lost city of gold, to Ponce de Leon’s quest for the Fountain of Youth.

This quest is much the same for customers who seek extended validation (EV) wildcard SSL certificates. Customers come to us all the time on their misguided quest to find the “elusive” wildcard EV SSL certificates. They want to activate the green web address bar with ease across multiple subdomains — an ability that would be ideal for any business. But why are these EV wildcard certificates so hard to find?

To put it simply: because they don’t exist. (But there is a solution that accomplishes the same goal, which we’ll cover shortly.)

Why an Extended Validation Wildcard Certificate Isn’t Possible

Graphic: EV multi-domain wildcards elusive as unicorns

Since you’re here, looking for a wildcard EV SSL certificate, we’re going to assume that you are already familiar with what a wildcard SSL certificate is used for: securing multiple subdomains. However, the very same properties that make a wildcard SSL certificate so great are also the same ones that create security concerns. Not following? Let us explain.

The extended validation guidelines outlined by the Certificate Authority/Browser Forum (CA/B Forum) prohibit the use of extended validation for wildcard certificates. This is because every EV SSL certificate that’s issued requires careful, in-depth vetting of the organization that’s trying to obtain it. This aims to ensure that certificates are not fraudulently issued or misused after issuance by validating that every web address that an EV SSL certificate is assigned is legitimate. For a certificate to be issued by a trusted and reputable certificate authority (CA), the organization must satisfy all of the requirements outlined by the CA/B Forum.  

Wildcard EV SSL Certificates Would Create Security Concerns

Wildcard certificates undermine the very purpose of extended validation. So, as you can see, it’s not that we just don’t want to sell EV wildcard SSL certificates to you — it’s that we can’t. Not to mention, we wouldn’t be doing you or your customers any favors if we did!

After all, any qualifying subdomains that would be covered under wildcard certificates issued at the EV level would receive an EV security indicator without undergoing the rigorous scrutiny of the EV validation process. This creates an opportunity for a single compromised subdomain to be exploited as a phishing attack vector by cybercriminals — all with the EV security indicator leading customers to believe the site is safe.

Talk about finding one of the fastest routes to undermine customers’ trust in your site and organization as a whole. This tactic could lead to data breaches, identity fraud issues, and a variety of other PR nightmares.

I Still Need to Secure Multiple Subdomains — So, What’s the Solution?

We hear you. Although no certificate authority can issue EV wildcards, you still need a solution to your website security issue. The good news is that there’s something that you can purchase that will work…

Save Up to 39% on a GeoTrust Multi-Domain EV SSL Certificate

Need to secure multiple domains with extended validation to get the green address bar? We’ve got you covered with a multi-domain SSL certificate.

Browse All of Our EV SSL Certificates

Get the Green Address Bar on Multiple Subdomains with a Multi-Domain EV SSL Certificate

Need to secure multiple subdomains with extended validation? We’ve got you covered with a multi-domain SSL certificate.

When you use an EV multi-domain SSL certificate, you can list each domain and subdomain as individual SANs, or Subject Alternative Name domains.

Forget about mythical solutions like wildcard EV SSL certificates. This real-world workaround will enable you to secure each of your domains and subdomains with the EV security indicators and green address bar you desire — all while remaining compliant with CA/B Forum guidelines.

Secure Multiple Domains with One SSL Certificate

1 Star2 Stars3 Stars4 Stars5 Stars (6 votes, average: 5.00 out of 5)
Loading...

Streamline your processes using one SSL certificate for multiple domains

One of the strengths of modern SSL/TLS certificates is the diversity of functionality afforded by the different certificate types. Regardless of how your network is structured, there’s an SSL certificate that can be tailored to that use case. There’s even one SSL certificate that can handle multiple domains (suddenly, a Lord of the Rings reference comes to mind about “One Ring to Rule Them All,” but in this case, it would be “One Cert for Multiple Domains”).

There was a time when you’d need to purchase individual SSL certificates for each domain and subdomain you were trying to secure. This was expensive, time-consuming, and created a litany of headaches by upping the ante on management. Not to mention some poor schmuck in IT had to install and manage them all…

Obviously, this approach was not ideal. This is why more certificate types have been added over the years to improve functionality and make managing them a bit more “business friendly.” Nowadays, if you want to secure multiple domains, you have options, including:

Each of these certificates have their own strengths and weaknesses. Let’s run through them really quickly.

Multi-Domain/UCC Certificates

Some people categorize multi-domain and UCC certificates differently. We put them together because they both essentially serve the same function: These certificates secure multiple domains with a single certificate. This goes back to the whole “one cert for multiple domains” concept).

Multi domain SSL certificates (also called SAN certificates) allow you to list up to 250 different domain names in the Subject Alternative Name (SAN) field of the certificate signing request (CSR). The certificate authority (CA) will perform domain control checks on all of the SANs that you’ve listed and issue the certificate. With multi-domain SSL, you can secure domains like:

  • www.domain.com
  • Domain.com
  • Domain.net
  • Mail.domain.com
  • Domain.eu
Graphic: SSL cert multiple domains

Unified communications certificate (UCC) do the same thing, but they’ve been specifically designed to work with Microsoft Exchange and Office Communications servers, which are notoriously finicky. A UCC can secure up to 100 different domains.

It’s also worth noting that these HTTPS certificates for multiple domains work with shared hosting environments, websites don’t need unique IP addresses.

The one downside to multi-domain/UCC certificates is that you have to pay by the SAN. Most certificates come with two to four SANs packaged for free — each additional SAN costs you. Though a multi-domain/UCC is still less expensive than using single domain certificates, it’s worth noting the extra cost nevertheless.

Save Up to 38% on GeoTrust Multi-Domain/UCC SSL Certificates

Protect multiple domains with a GeoTrust Multi-Domain/UCC OV SSL Certificate.

Get a GeoTrust Multi-Domain OV SSL certificate, starting at $221.96/year

Wildcard SSL Certificates

A wildcard SSL certificate is ideal for websites that use subdomains, which is another common practice for enterprises. With a wildcard certificate, you place a wildcard character, an asterisk (*), at the subdomain level you’d like to secure. Once the certificate is issued, any subdomain on that level of the URL can be secured with the certificate. Even if you haven’t created it yet. Wildcard certificates are entirely futureproof — if you ever add a subdomain at any point during the validity period of the certificate, you can secure it.

If you list *.domain.com in your CSR, you can secure:

  • Mail.domain.com
  • Login.domain.com
  • FTP.domain.com

There’s no cap, either. Technically, you can secure an unlimited number of subdomains on the designated level of the URL. For example, you could secure unlimited subdomains on the first level, or the second level, or the third level — but not all of them.

Not sure what we mean by first level- versus second- or third-level subdomains? This will help:

ThirdLevel.SecondLevel.FirstLevel.Domain.TLD

Wildcard Certificates Aren’t Perfect

There are a couple drawbacks to wildcards, though, that we need to mention. The biggest is that you can’t get an EV version of it. No, that’s not because we just don’t want to issue them, either. The wildcard character offers to much latitude for the Certificate Authority/Browser Forum (CA/B Forum) to feel comfortable giving it extended validation (EV) status. If you want the green bar on subdomains, you’ll need to use a multi-domain certificate.

Additionally, wildcards can only secure subdomains on a single level of the URL. If you want to secure second- or third-level subdomains, it can be done. However, it becomes cost-prohibitive, and you have to name specific subdomains at the preceding URL levels — which, again, gets expensive at scale.

Multi-Domain Wildcard Certificates

The most recent addition to the SSL/TLS product field is the multi-domain wildcard or wildcard SAN certificate. This combines the functionality of both multi-domain and wildcard certificates. You can use wildcard characters in the SAN fields, which gives you more flexibility. In fact, one of the most popular use cases for the multi-domain wildcard is as a multi-level wildcard.

Save 82% on GeoTrust OV Multi-Domain Wildcard SSL Certificates

Protect your domains and subdomains with a GeoTrust OV Multi-Domain Wildcard SSL Certificate.

Get a GeoTrust OV Multi-Domain Wildcard SSL certificate, starting at $334.08/year

Multi-Domain Wildcard Certificates Aren’t Perfect, Either

The same drawback applies to multi-domain wildcards as well: There is no EV version of this certificate. The CA/Browser Forum (CA/B Forum) prohibits EV wildcards from being issued entirely. As such, you’d need to pick another option if you wanted to leverage the green address bar.

How Encryption Works When Securing Multiple Domains

Anytime a client arrives at a website, the server begins the SSL handshake by sending a copy of its SSL certificate to the client. The client performs a series of checks on the certificate to authenticate it:

  • Verifies the certificate’s validity;
  • Checks its revocation status;
  • Verifies signatures; and
  • Follows the certificate chain and checks the listed host name against the one its at.

This process is the same whether it’s a single domain certificate or a full multi-domain certificate with 250 SANs. Each website secured by that certificate uses the same certificate — the client will work through each listed host name looking for a match. It’s not unlike a teacher taking attendance at the start of a class — just reading through a list of names and seeing who’s present.

Bueller? Bueller? Anyone? Bueller?

Encryption is the Same Regardless of the Type of SSL Certificate

Keep in mind, the level of security provided by an SSL certificate doesn’t vary by validation level or functionality. In fact, the certificate really just lists the supported parameters for an encrypted connection — the actual strength of the security is contingent upon the capabilities of the server and client.

So, find the certificate that fits you and don’t worry about whether you’ll be secure. Well, do worry about that — just don’t blame the certificate. It’s just the messenger in this arrangement – and as the saying goes, don’t shoot the messenger.