Modernize Your PKI → Optimize Productivity → Reduce Risks    |Here’s how to replace Microsoft PKI with EJBCA

Understanding Wildcard SSL Certificates and SAN SSL

SSL/TLS Certificates

SSL certificates automatically identify and authenticate public IP addresses’ by assigning each a public/private keypair attached to the server’s unique domain name. Embedding the domain name in the certificate is essential for identifying the web server, and checking the server’s digital signature to confirm the certificate’s validity.

However, you do not have to buy a new certificate for every one of your domains.

It’s important to understand your options for SSL certificates, otherwise, you could be wasting valuable resources buying single certificates for each of your domains. For organizations that host many public-facing servers, purchasing multi-purposed SSL certificates might be the best option.

What is a Multi-Purposed SSL Certificate?

A multi-domain SSL is a special purpose SSL certificate that may secure the multiple primary domains, sub-domains, or public IP addresses using only one SSL certificate and one IP address. Multi-purposed SSLs initially was posed a solution for unified communications applications. Nowadays, it can benefit anyone who plans to merge several primary domains or subdomains into a single SSL certificate.

The two main types are:

  • Wildcard certificates: which secure the primary domain and multiple subdomains (e.g., www.domain.com, email.domain.com, blog.domain.com).
  • SAN SSL certificates: which secures one primary domain name and, varying by the provider, up to 500 subject alternative names (e.g., primary domains, IP addresses, common names).

 

It is also possible to use the two types in combination, covering unlimited sub-domains and primary domains, all in a single SSL certificate. You have many to choose from when you combine these options with the different levels of validation for SSL certificates.

Let’s look closer at the two types of multi-purposed SSL certificates to determine which might be the right fit for your needs.

Wildcard Certificate (Wildcard SSL)

What is Wildcard SSL?

A wildcard certificate is a multi-domain SSL certificate that applies to a single primary domain — and all its sub-domains.

Why use Wildcard SSL?

Organizations often find themselves when they need to use sub-domain names—names that use the same root name, but require unique prefix names. Using a wildcard certificate is a much more practical and versatile solution, compared to using multiple regular SSL certificates.

How does Wildcard SSL work?

Typically, an SSL certificate is a single domain certificate. Wildcard certificates work similarly but offer several significant advantages.

While a wildcard certificate still only has one listed primary domain (e.g., domain.com), but the wildcard character — an asterisk (*) — allows it to protect one an unlimited amount of sub-domains (e.g., login.domain.com, mail.domain.com, search.domain.com).

Also, you can add, change, or replace sub-domains without needing to update the certificate. Thus, Wildcard SSL Certificates are the most reasonable and highly recommended for anyone who uses multiple sub-domains.

Wildcard SSL Summary

Wildcard certificates can simplify management duties and reduce costs, given the right situation. However, while these certificates appear to be easier to manage, the risk of compromise can be greater. Deploying a wildcard certificate on unlimited servers and subdomains is appeals, but if the wildcard certificate becomes compromised, then all locations become compromised.

Just like regular SSL certificates, you’ll want to know what wildcard certificates are used (or misused) for through a certificate management solution.

Subject Alternative Name (SAN) Certificates

The most comparable certificate to a wildcard certificate is called a subject alternate name (SAN) certificate. Let’s take a closer look to see how they compare.

What are SAN Certificates?

Subject Alternative Name Certificates (SAN SSL), also called Unified Communications Certificates (UCC), was initially designed was to support real-time communication infrastructures.

How does SAN SSL work?

Subject alternative name (SAN) is an extension to the SSL Protocol; it allows various values to be associated with an SSL certificate using alternative names, for example:

● Email addresses

● IP addresses

● DNS names or Common Name RDN

● Directory names or Distinguished Names

● General Names or Universal Principal Names

Why use SAN Certificates?

Anyone who needs to protect more than one domain name or IP address should consider a SAN certificate. These certificates offer a more time- and cost-effective solution than buying separate SSL certificates for each domain. SAN Certificates are ideal for when you need to secure multiple websites with different domain names.

Certifying multiple domains on a single server typically requires a unique IP address for each domain.

However, a SAN certificate saves you the hassle and time involved in configuring multiple IP addresses on your server, binding each IP address to a different certificate, or when using a single IP to control multiple services (e.g., OWA, SMTP, Autodiscovery, ActiveSync)

All certificate authorities offer multi-domain SSL certificates, with coverage depending on the multi-domain SSL plan chosen from a particular provider.

Wildcard + SAN SSL Certificate

As the name suggests, SAN can also be combined as an extension with a wildcard to add functionality to the certificate. This combination makes SSL certificate management much more straightforward and cheaper than managing separate SSL certificates for each domain you own.

A notable use case scenario is in organizations that require internal and external validation and use different sub-domain names for each.

For example, using InternalSip.domain.com and ExternalSIP.domain.com for instant messaging applications where you need to secure messages with encryption. Here, you must certify each internal and external service to allow users to use the application remotely and securely.

The wildcard certificate encrypts all subdomains on a fully qualified domain name, who share the same server. However, the certificate may support multiple servers and unlimited subdomains when combined with the capabilities of SAN SSL.

Managing Wildcard Certificates

Having trouble managing wildcard and regular SSL certificates? See how Keyfactor Command’s certificate life cycle automation capabilities can remove the wildcard management headache and prevent certificate outages.