Wildcard SSL: everything you need to know
They are named after the wildcard character (the asterisk), in English Wildcard, in fact. The asterisk is used to define the group of sub-domains for which the certificate applies.
To simplify, it can be said that the value of the asterisk does not exceed the point. At the same time, it is not possible to use two or more asterisks: for example, it is not possible to certify.
A wildcard certificate is a certificate that allows unlimited application of SSL to subdomain hosts of a domain (FQDN). Recently, about 40% of SSL certificate issuances are issued with Wildcard SSL certificates, which proves that it is highly effective.
The reason it is named Wildcard is because the certificate domain (CN and DNS Name) is in the format *.mydomain.com. It is a kind of Multi/SAN certificate and is an extension technology of RFC international standard X.509. You can understand that the default domain and sub domain wildcards are included in the [Subject Alternative Name-DNS Name] item in the certificate detail view item in the web browser.
For example: web browser are actually displayed in the certificate, a wildcard certificate is displayed. When viewing the certificate information of the applied web page, it is displayed in the particular format.
Even with these limitations, Wildcard certificates represent a very convenient method for encrypting the data transmission of numerous sub-domains.
SSL Digital Certificate
An SSL certificate is an electronic document that guarantees communication between a client and a server by a third party. Immediately after the client connects to the server, the server passes this certificate information to the client. The client performs the following procedure after verifying that this certificate information is trusted. The advantages of using SSL and SSL digital certificates are as follows.
Communication content can be prevented from being exposed to attackers.
It is possible to determine whether the server to which the client connects is a trusted server.
You can prevent malicious alteration of communication contents.
Application for issuance CN (domain) input example
CN: It must be the same pattern as *.example.com or *.sub2.sub1.sslcert.co.net identified by the DNS Name.
CN: *. Enter the example.com root FQDN as CN, excluding the mark.
ex) If *.sub.sslcert.co.net is the representative domain, input CN as sub.sslcert.net
SAN: Wildcard domains in the format *.example.com and *.sub.sslert.co.net are, Additional inputs are made during the DCV setup step during application form.
Notes (Caution for errors)
Since only the display position step is unlimited hosts. The format of .sslcert.co.net is not possible. It is not possible to apply in multiple steps like:
When applying one Wildcard SSL is more advantageous for cost reduction/management than issuing multiple sub-domains each-When sub-domains are expected continuously as the web service usage increases, and SSL is applied and operated.
On the web server If you want to apply to all subdomain websites with 443 SSL default port (SNI non-supported web server can only bind one certificate per one SSL port (ex, 443))
Put multiple other wildcard domains in one certificate How to do it? In order to cope with such cases, there is a Multi-Wildcard SSL certificate product. Single wildcard can contain only 1 wildcard in a certificate, and multi wildcard can contain up to 250 wildcards in 1 certificate.
"Low cost" Wildcard certificates
Let's now move on to the available offer. Dedicated to SSL certificates for sub-domains, we can immediately notice the presence of 2 "entry-level", the RapidSSL and the Sectigo Essential: these are certificates of the "Domain Validated" type, in which the name of the company, which offer a low guarantee, but can be issued in a short time, in less than an hour. We, therefore, recommend them for those who are in a hurry and have no particular demands.
Corporate Wildcard Certificates
Among those of the OV (Organization Validated) type, therefore characterized by company-wide validation, we would like to recommend the GeoTrust. First of all, GeoTrust is synonymous with reliability, being one of the most famous brands in the field of web security.
Second, but not least, because this Wildcard certificate is the one that offers the highest guarantee in the rare event that an encryption breach occurs. In this case, the guarantee offered is 1.25 million US dollars, just enough to sleep peacefully.
Finally, it must be said that, in the case of Wildcards, there are no available, at least for the moment, certificates of type EV (Extended Validated), those, to be clear, that show the green address bar in the browser, together with the full name of the owner company.
In case you need to get the green bar on some sub-domains, you need to opt for single or multi-domain (SAN) EV certificates.
Some common differences to make you understand between HTTPS & SSL certificates:
HTTPS VS HTTP
HTTP stands for Hypertext Transfer Protocol. In other words, it means a communication protocol for transmitting HTML that is Hypertext. In HTTPS , the last S is an abbreviation of O ver Secure Socket Layer. Because HTTP transmits data in an unencrypted way, it is very easy to intercept messages sent and received by the server and the client.
For example, malicious eavesdropping or alteration of data may occur in the process of sending passwords to the server to log in or reading important confidential documents. HTTPS is what secures this.
HTTPS and SSL
HTTPS and SSL are often understood interchangeably. This is right and wrong. It's like understanding the Internet and the web in the same sense. In conclusion, just as the web is one of the services running on the Internet, HTTPS is a protocol running on the SSL protocol.
SSL and TLS
The same thing. SSL was invented by Netscape, and as it gradually became widely used, it was renamed TLS as it was changed to the management of IETF, a standardization body. TLS 1.0 inherits SSL 3.0. However, the name SSL is used much more than the name TLS.
Types of encryption used by SSL
The key to SSL is encryption. SSL uses two encryption techniques in combination for security and performance reasons. To understand how SSL works, you need to understand these encryption techniques. If you don't know how to do this, the way SSL works will feel abstract. We will introduce encryption techniques used in SSL so that you can understand SSL in detail. Let's challenge it because this is not only an understanding of SSL, but also the basic skills of an IT person.
The type of password used for encryption, the act of creating a password, is called a key. Since the encrypted result is different according to this key, if the key is not known, decryption, which is an act of decrypting the encryption, cannot be performed. Symmetric key refers to an encryption technique in which encryption and decryption can be performed with the same key.
In other words, if you used the value 1234 for encryption, you must enter the value 1234 when decrypting. To help you understand, let's look at how to use openssl to encrypt with a symmetric key method. Executing the command below creates a plaintext.txt file. And you will be asked for a password. The password entered at this time becomes the symmetric key.
The symmetric key method has its drawbacks. It is difficult to pass a symmetric key between people who exchange passwords. This is because if the symmetric key is leaked, the attacker who obtained the key can decrypt the contents of the password, making the password useless. The encryption method from this background is the public key method.
The public key method has two keys. If it is encrypted with the A key, it can be decrypted with the B key, and if it is encrypted with the B key, it can be decrypted with the A key. Focusing on this method, one of the two keys is designated as a private key (also called a private key, a private key, or a secret key), and the other is designated as a public key.
The private key is owned only by oneself, and the public key is provided to others. Others who have been provided with the public key encrypt the information using the public key. Encrypted information is transmitted to the person who has the private key. The owner of the private key uses this key to decrypt the encrypted information. Even if the public key is leaked during this process, it is safe because information cannot be decrypted without knowing the private key. This is because encryption can be performed with a public key, but decryption is not possible.
The role of SSL certificates is rather complex, so you need to know some knowledge to understand the mechanism of certificates. There are two main functions of a certificate.
Understanding both of these is key to understanding certificates.
Ensures that the server to which the client connects is a trusted server.
Provides the public key to be used for SSL communication to the client.
The role of the certificate ensures that the server to which the client connects is the server intended by the client. There are private companies that play this role, and these companies are called CA (Certificate Authority) or Root Certificate. CA is not something that any company can do, and only companies whose credibility is strictly certified can participate. Among them, representative companies are as follows. The figures are current market share.
Symantec with 42.9% market share
Comodo with 26%
GoDaddy with 14%
GlobalSign with 7.7%
Services that want to provide encrypted communication over SSL must purchase a certificate through a CA. CA evaluates the reliability of a service in various ways.
Private Certificate Authority
If you want to use SSL encryption for development or private purposes, you can also act as a CA yourself. Of course, this is not a certified certificate, so if you use a private CA's certificate.
Content of SSL certificate
The SSL certificate contains the following information:
Service information (CA that issued certificate, domain of service, etc.)
Server side public key (content of public key, encryption method of public key)
Browser knows CA
To understand certificates, one thing you must know is the list of CAs. The browser internally knows the list of CAs in advance. This means that the browser's source code contains a list of CAs. In order to become a certified CA, it must be included in the list of CAs that the browser knows in advance. The browser already knows the public key of each CA along with the list of CAs .