SSL certificates can secure websites of any size and complexity. Since HTTPS became a requirement, more users have learned how to install and manage SSL certs on different platforms. However, the less tech-savvy folks face stern challenges when the multi-level subdomains come into the equation. Unlike single websites that use a one-domain certificate, you can encrypt multi-level subdomains with different types of certs. The million-dollar question is, how many SSL certificates do you need to secure second-level or third-level subdomains? In this article, we’ll tell you the answer.
Wildcard SSL Certificates – a quick overview
We’ve already covered Wildcard SSL extensively in our blog and FAQ sections. But for this post, let’s recap its features and limitations.
A Regular SSL certificate protects one domain name or Fully Qualified Domain Name (FQDN). The two must match for the certificate to be valid. With the wildcard option, you can secure unlimited subdomains along with the main domain, all under a single SSL installation.
When you order an SSL certificate, your first step is to generate a CSR (Certificate Signing Request). For a Wildcard cert, you need to add the asterisk (*) symbol before the domain name you want to secure. For example, *.yourdomain.com. You can encrypt any subdomains you need without an extra certificate.
A wildcard SSL certificate encrypts unlimited subdomains on the same level. For instance, a wildcard certificate for *.yourdomain.com will encrypt:
- blog.yourdomain.com
- news.yourdomain.com
- mail.yourdomain.com
But what happens when you need to secure two-level or multi-level subdomains?
Wildcard certificates for second-level subdomains
In the Domain Name System (DNS) hierarchy, a second-level subdomain is a subdomain that is directly below the first subdomain. Seems confusing? Here’s how it would look in the URL:
secondlevel.firstlevel.yourdomain.com
To create a CSR that provides a Wildcard SSL certificate for two levels, you will need to know the subdomain you wish to divide further. For instance, if you were using a first-level wildcard with the FQDN *.yourdomain.com, the wildcard will be a placeholder for blog.yourdomain.com, news.yourdomain.com, and mail.yourdomain.com. The list of these first-level wildcards can include anything you choose.
Now, to create a subdivision within blog.yourdomain.com, you would generate a CSR with the format *.blog.yourdomain.com in place of the FQDM. Here the asterisk is substituting all the potential second-level subdomains of the “blog” subdomain.
But what happens when you want to add a second-level subdomain to one of your other subdomains like news.yourdomain.com? You would need another Wildcard certificate.
Unfortunately, it’s not possible to encrypt both the subdomains of blog.yourdomain.com and news.yourdomain.com with a single Wildcard. Certificate AAuthoritiescan only issue an SSL certificate with a single (*). You simply can’t generate a CSR that looks like *.*.yourdomain.com to try to cover more than one second-level subdomain group. The asterisk only applies to one field in the name submitted to the CA.
Ultimately, it’s all about security as the CAs have to verify every SSL application. Too many variables in the certificate like multi-level subdomains would strain CAs’ resources. Nonetheless, there’s an excellent solution for multi-level subdomains, a Multi-Domain Wildcard SSL certificate.
Encrypt multi-level subdomains with Multi-Domain Wildcard certs
A Multi-Domain Wildcard SSL certificate is the most convenient and cost-efficient solution when you need to secure multi-level subdomains. It allows encrypting multiple levels of subdomains with one certificate. Like the wildcard certificate, it can work whether the websites are on the same or separate servers.
Suppose you have to secure the following 8 subdomains:
- Yourdomain.com
- Blog.yourdomain.com
- News.yourdomain.com
- dev.yourdomain.com
- Dev.blog.yourdomain.com
- Dev.news.yourdomain.com
- Abc.news,yourdomain.com
- Xyz.news.yourdomain.com
If you used a standard single-domain SSL certificate, you’d need 8 separate SSL certificates. That’s a lot of hassle and money!
With a Wildcard SSL certificate, you can narrow down the number of required certs to just 4:
- *.yourdomain.com
- *.blog.yourdomain.com
- *.news.yourdomain.com
- *.dev.yourdomain.com
That’s a lot of savings, but still a costly option with time spent on installation and renewal.
A multi-domain SSL Wildcard certificate comes with 3 SANs (Subject Alternative Names by default) and up to 250 SANs for an additional fee. In our case, you’d need to buy just one multi-domain wildcard certificate and add just one SAN. Thus all your four sites will be encrypted.
Conclusion
You can’t encrypt second-level subdomains with a separate Wildcard SSL certificate. If you have multiple levels of subdomains, a multi-domain wildcard SSL certificate is your best option! Instead of buying several Wildcard certificates, you will save precious time and money with just one multi-domain wildcard cert during both first installation and renewals.
Safe internet vector created by jcomp – www.freepik.com
