Feb 3, 2012
tom

Wildcard certificate with SAN

Question

I am attempting to create a wildcard SSL cert with a Subject Alternative Name (SAN) for use in IIS 7.5 and I’m having some issues. Because I need to include a SAN, I am using the Custom Certificate Request tool under the Certificates snap-in on Windows.

Thus far, I have managed to get a working wildcard certificate when I use the IIS 7.5 Create Certificate Request wizard, and a working SAN certificate when I use the Custom Certificate Request wizard (in the Certificates snap-in), but I have been unable to get both working in the same cert.

The cert which I generated with the Custom Certificate Request wizard has the following properties:

Subject Name:

  • CN=*.domain.local

Alternative Name:

  • DNS=domain.local

Extended Key Usage:

  • Server Authentication

(Private) Key Type:

  • Exchange

(Private) Key Options:

  • Key size: 2048
  • [x] Make private key exportable

With the above cert in IIS 7.5, requests to the SAN of https://domain.local are secure, but https://*.domain.local requests are unsecure with the browser stating that the cert is only valid for domain.local (instead of *.domain.local).

Ultimately, my objective is to have a cert which works on *.domain.local and domain.local.

Using the Custom Certificate Request wizard in the Windows Certificates snap-in, how can I create a certificate request for a cert containing a wildcard and a SAN attribute?

Asked by Nathan Taylor

Answer

When a subject alternative name is in place, the common name (edit: from the subject) is no longer used. Solution: Add the wildcard name to the list of subject alternative names.

Answered by unixtippse

Related posts:

  1. Does any Certificate Authority support both SAN and wildcards?
  2. Apache SSL VirtualHosts on a single IP using UCC/SAN certificate
  3. Wildcard certificate with separate certificates for each host
  4. IIS6 SMTP for Inbound Mail – Wildcard Certificate?
  5. openldaps wildcard certificate not accepted

Leave a comment