While IT professionals may be very comfortable with all the details of SSL certificates, those new to the use of these certificates may find the specifics a bit more challenging. To help understand the different levels of possibilities, let's start with a definition of SSL.
The purpose of any SSL/TLS certificate of any type is to provide secure transmission of data from the client to the server. This is done through encryption that is now set at a 2048 bit level for signatures and a 256 bit level for data. Even with today's technology, brute force attacks or other attempts at hacking are extremely unlikely to occur because of the encryption. There may be other ways that a hacker can gain access but simply breaking the encryption is not a likely option.
The way the encryption works is through a set of keys. These keys include a public key, which is shared by the server and the website as well as the certificate and a private key that is only held on the server. The private key must match with the public key to be able to allow data to be decrypted. This provides complete protection.
In a traditional type of SSL certificate, there is one domain name or Fully Qualified Domain Name (FQDN) and one certificate. The two must match in order for the certificate to be valid. With the wildcard option, main domain and all subdomains can be covered by one certificate. To accomplish this the asterisk (*) symbol is used place of the "www" in the FQDN.
However, you can also have a Wildcard SSL certificate for two levels. In other words, you can have subdomains within a subdomain that will be covered by one product rather than the need for many.
How it Works
To generate a CSR (Certificate Signing Request) that provides a Wildcard SSL certificate for two levels, you will need to know the subdomain you wish to divide further.
For example, if you were using a first level wildcard with the designation of *.xyz.com where xyz is the domain name for the website, the wildcard will be a placeholder for mail.xyz.com, photos.xyz.com and payments.xyz.com. The list of these first level wildcards can include anything you choose.
To create subdivision within mail.xyz.com, you would simply generate a CSR that used the format of *.mail.xyz.com in place of the FQDM. Here the (*) is substituting or all the subdomains in "mail."
It is important to realize that this would not cover a Wildcard SSL certificate for two levels for the subdomain of photos.xzy.com. This would need its own Wildcard SSL certificate for two levels, but it too would cover all current and new directories or subdomains added under the subdomain of photos.
What is not possible is to try to cover both the subdomains of mail.xyz.com and photos.xyz.com with a single Wildcard. The CA or Certificate Authority can only provide an SSL certificate with a single (*). You could not generate a Certificate Signing Request that looked like *.*.xyz.com to try to cover more than one second level subdomain group.
The Reason Why
The reasons it is not possible to have a "double wildcard" SSL certificate is that the placeholder, the asterisk, can only stand in for one field in the name submitted to the CA. After all, the CA has to verify all information, and too many variables in the certificate would decrease the security and confidence the certificate provides.
Additionally, and this is important for IT managers and website owners as well, the internal security cannot be compromised as easily. Keep in mind that any type of security issue once an SSL certificate is in place is much more likely to occur from an internal security breach where someone with access to the private key and certificate is able to set up a subdomain website that is actually covered by the SSL.
We take your website security and trustworthiness very seriously. Our Wildcard SSL certificate for two levels is carefully designed to provide high levels of security combined with a low-cost option to secure a main domain and unlimited subdomains or second level subdomains as required.
We know this can be confusing, so if you have any questions, please give us a call at +1 888 266 6361. Our staff is here to make sure you get just the certificate you need to secure your site and protection your customer's private information.