Knowledge Base

Why do wildcard certificates cause a name mismatch on second level subdomains?

Question

Why do wildcard certificates cause a name mismatch on second level subdomains?
For example, a certificate for *.example.com doesn't protect subdomain.subdomain.example.com.

Answer

This is normal behavior, as defined in RFC 2818, 3.1. Server Identity:

Names may contain the wildcard character '*' which is considered to match any single domain name component or component fragment. E.g., '*.a.com' matches 'foo.a.com' but not 'bar.foo.a.com'.

In other words, the asterisk can only stand for one field, and the certificate can only have one asterisk. That means the same certificate for example.com can't cover a two-level subdomain like subdomain.subdomain.example.com.

Workaround

As a workaround, create a wildcard certificate for the first level of the subdomain:

Add subdomain.example.com with the Add Domain button (not the Add Subdomain button): How to add a domain in Plesk
Issue a wildcard certificate for subdomain.example.com

The new certificate will cover the second level subdomain.

Knowledge Base

Why do wildcard certificates cause a name mismatch on second level subdomains?

Question

Answer

Workaround

Exploring Plesk’s Added Value Solutions So Far in 2023

Unveiling Sitejet Builder: The Perfect Match for Your Effortless Website Creation Needs

Dynamic List vs. Active List: A Comprehensive Comparison – Unveiling the Ultimate Winner!

How to add/change a DNS NS record in Plesk

How to disable web statistics in Plesk?

Plesk domain behind Cloudflare is not accessible: Invalid SSL certificate Error code 526

How to disable ModSecurity in Plesk?