This document explains some of the limitations and special behaviors of wildcard certificates, and how to request wildcard certificates for common hostname structures . Wildcard certificates allow you to use the same certificate with different DNS names.
You want to request a certificate that will match any subdomain of spud.washington.edu. e.g. mail.spud.washington.edu and admin.spud.washington.edu. Important: This type of wildcard certificate will not match the top-level subdomain spud.washington.edu. See "Simple Wildcard Certificate Including Top-level Subdomain" to add the top-level subdomain to your certificate.
Generate a CSR, and specify *.spud.washington.edu as the subject (subject is sometimes referred to as CN).
You want to request a certificate that will match any subdomain of spud.washington.edu, e.g. www.spud.washington.edu and mail.spud.washington.edu, as well as the top-level subdomain spud.washington.edu.
Generate a CSR, and specify spud.washington.edu as the subject (subject is sometimes referred to as CN). When you submit the CSR to Certificate Services, enter *.spud.washington.edu in the Certificate Services interface. See screenshot below.
You have several levels of subdomains with different hosts, and you want to use the the same certificate with all of them. Wildcards only apply one level below the subdomain they're specified for (e.g. *.*.spud.washington.edu won't work), so we need to leverage multiple AltNames. Suppose you have the following DNS names you want the cert to work with:
| spud.washington.edu |
| eval.spud.washington.edu |
| star.eval.spud.washington.edu |
| star2.eval.spud.washington.edu |
| dev.spud.washington.edu |
| planet1.dev.spud.washington.edu |
| planet2.dev.spud.washington.edu |
| galaxy.roguedev.dev.spud.washington.edu |
| galaxy2.roguedev.dev.spud.washington.edu |
Generate a CSR, and specify spud.washington.edu as the subject (subject is sometimes referred to as CN). When you submit the CSR to Certificate Services, enter the following in the AltNames list, separated by commas:
| eval.spud.washington.edu |
| *.eval.spud.washington.edu |
| dev.spud.washington.edu |
| *.dev.spud.washington.edu |
| *.roguedev.dev.spud.washington.edu |
So, you would enter: eval.spud.washington.edu, *.eval.spud.washington.edu,dev.spud.washington.edu,*.dev.spud.washington.edu,*.roguedev.dev.spud.washington.edu
For reference, the following table demonstrates which AltNames match which hostnames:
| Hostname | Matching AltName |
|---|---|
| spud.washington.edu | None. Matched in Certificate Subject (or CN) |
| eval.spud.washington.edu | eval.spud.washington.edu |
| star.eval.spud.washington.edu | *.eval.spud.washington.edu |
| star2.eval.spud.washington.edu | *.eval.spud.washington.edu |
| dev.spud.washington.edu | dev.spud.washington.edu |
| planet1.dev.spud.washington.edu | *.dev.spud.washington.edu |
| planet2.dev.spud.washington.edu | *.dev.spud.washington.edu |
| galaxy.roguedev.dev.spud.washington.edu | *.roguedev.dev.spud.washington.edu |
| galaxy2.roguedev.dev.spud.washington.edu | *.roguedev.dev.spud.washington.edu |
Note that the host roguedev.dev.spud.washington.edu, if it exists, will not be matched by this certificate unless it is included as a separate AltName. Wildcard AltNames do not include the "wildcarded" subdomain–it must be included as a separate AltName. That's why above we've included *.eval.spud.washington.edu and eval.spud.washington.edu as AltNames.