For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

scot_hartman_82's avatar
scot_hartman_82
Icon for Nimbostratus rankNimbostratus
Feb 27, 2009

Wildcard Cert Syntax

I'm in the same boat I see others have with a cert that doesn't match if someone uses www. (cert is for foo.abc.com but some users may try to hit www.foo.abc.com)

 

 

I have an iRule to redirect any http requests to https. In that, I strip the www in my redirect. But won't work if they try https://www.foo.abc.com directly.

 

 

 

Is it possible to get a wildcard cert like this?

 

 

*foo.abc.com

 

 

so it would match requests to

 

www.foo.abc.com

 

foo.abc.com

 

 

or can you only follow the format of *.foo.abc.com?

 

 

Do you have to have " *. " as the first two characters?

 

 

 

Any chance you can wildcard the end of a domain?

 

 

 

foo.abc.*

 

 

 

to match the other extensions ...

 

foo.abc.net

 

foo.abc.org

 

foo.abc.com

 

 

 

Thanks,

 

Scot

 

application delivery
dev
devops
iRules

6 Replies

  • f5now_28704's avatar
    f5now_28704
    Icon for Nimbostratus rankNimbostratus
    Feb 27, 2009
    I use wildcard certs for some of are primary domains, you can get *.foo.abc.com but not for foo.abc.* it doesnt work like that.

     

     

    just get an wildcard for *.abc.com, *.abc.net, and *.abc.org. then if you want to use fofo.abc.net you can do it.

     

     

    https://www.thawte.com/ssl-digital-certificates/wildcardssl/index.html

     

     

    Ryan
  • scot_hartman_82's avatar
    scot_hartman_82
    Icon for Nimbostratus rankNimbostratus
    May 29, 2009

     

    Follow up...

     

     

    Will a wildcard cert for...

     

     

    *.foo.abc.com

     

     

     

    match

     

     

    foo.abc.com

     

     

    ?

     

     

     

    Or does there need to be a "." in front of foo to match?

     

     

     

    Thanks,

     

    Scot
  • f5now_28704's avatar
    f5now_28704
    Icon for Nimbostratus rankNimbostratus
    May 29, 2009
    in my case I use a wildcert for *.abc.net, that is on a few sites like www.abc.net, www1.abc.net, www2.abc.net, download.abc.net.

     

     

    in your case you would purchase a cert for *.abc.com, *.abc.net, *.abc.org.

     

     

    then your sites could anwser for all your primary names.

     

     

    hope this makes sense. you can get a trial of a wide cert from: https://www.thawte.com/ucgi/gothawte.cgi?a=w34440158357049000

     

     

  • scot_hartman_82's avatar
    scot_hartman_82
    Icon for Nimbostratus rankNimbostratus
    May 29, 2009
    Thanks for the reply.

     

     

    What I'm wondering is will a wildcard cert for *.foo.abc.com match foo.abc.com?

     

     

    I want to make sure it matches https://foo.abc.com as well as https://www.foo.abc.com.

     

     

    I've seen posts that hint one way or the other and just wanted to know if anyone has used a wildcard cert to match without anything leading?

     

     

     

    Thanks,

     

    Scot
  • f5now_28704's avatar
    f5now_28704
    Icon for Nimbostratus rankNimbostratus
    May 29, 2009
    you would need two certs for one for *.abc.com for https://foo.abc.com and *.foo.abc.com for https://www.foo.abc.com

     

     

    ryan
  • scot_hartman_82's avatar
    scot_hartman_82
    Icon for Nimbostratus rankNimbostratus
    May 29, 2009
    Hmmm.... afraid of that.

     

    And I can only use one cert per VIP.

     

     

    Guess I may need look into either a less qualified wildcard like *.abc.com or play with SAN certs.

     

     

    Thanks for the insights,

     

    Scot