Why would a website include both subdomains and a wildcard in SAN field?
up vote
0
down vote
favorite
If you visit the XDA developers website and see the certificate information, they list both *.XDA-developers.com and each subdomain individually in the SAN field.
If they used a wildcard, why do they have to list each subdomain individually?
ssl-certificate
edited 2 days ago
harrymc
247k10255542
asked 2 days ago
kiiler
1
New contributor
kiiler is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
0
down vote
favorite
If you visit the XDA developers website and see the certificate information, they list both *.XDA-developers.com and each subdomain individually in the SAN field.
If they used a wildcard, why do they have to list each subdomain individually?
ssl-certificate
edited 2 days ago
harrymc
247k10255542
asked 2 days ago
kiiler
1
New contributor
kiiler is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Most likely they had individual entries, then came back and added a wildcard and didn't remove the specific individual entries (either due to an oops, or maybe there was a Nagios/etc monitor looking for api.xda-developers.com in the SAN and they didn't want to update it)
– bartonjs
yesterday
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
If you visit the XDA developers website and see the certificate information, they list both *.XDA-developers.com and each subdomain individually in the SAN field.
If they used a wildcard, why do they have to list each subdomain individually?
ssl-certificate
edited 2 days ago
harrymc
247k10255542
asked 2 days ago
kiiler
1
New contributor
kiiler is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
If you visit the XDA developers website and see the certificate information, they list both *.XDA-developers.com and each subdomain individually in the SAN field.
If they used a wildcard, why do they have to list each subdomain individually?
ssl-certificate
ssl-certificate
edited 2 days ago
harrymc
247k10255542
asked 2 days ago
kiiler
1
New contributor
kiiler is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 2 days ago
harrymc
247k10255542
asked 2 days ago
kiiler
1
New contributor
kiiler is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 2 days ago
harrymc
247k10255542
edited 2 days ago
harrymc
247k10255542
edited 2 days ago
harrymc
247k10255542
247k10255542
asked 2 days ago
kiiler
1
New contributor
kiiler is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
kiiler
1
asked 2 days ago
kiiler
1
1
New contributor
kiiler is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
kiiler is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
kiiler is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Most likely they had individual entries, then came back and added a wildcard and didn't remove the specific individual entries (either due to an oops, or maybe there was a Nagios/etc monitor looking for api.xda-developers.com in the SAN and they didn't want to update it)
– bartonjs
yesterday
add a comment |
Most likely they had individual entries, then came back and added a wildcard and didn't remove the specific individual entries (either due to an oops, or maybe there was a Nagios/etc monitor looking for api.xda-developers.com in the SAN and they didn't want to update it)
– bartonjs
yesterday
Most likely they had individual entries, then came back and added a wildcard and didn't remove the specific individual entries (either due to an oops, or maybe there was a Nagios/etc monitor looking for api.xda-developers.com in the SAN and they didn't want to update it)
– bartonjs
yesterday
Most likely they had individual entries, then came back and added a wildcard and didn't remove the specific individual entries (either due to an oops, or maybe there was a Nagios/etc monitor looking for api.xda-developers.com in the SAN and they didn't want to update it)
– bartonjs
yesterday
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
The type of the certificate you see is called "Multi-Domain SSL Certificate".
These SSL certificates protect different domains with a single certificate, using the SAN extension. For this reason, these certificates are often referred to as SAN certificates.
SAN names are generally not required to belong to the same domain. In other words, it’s perfectly fine for a certificate to cover a list of names like the following:
example.com
www.example.com
foo.bar.hello.com
another.domain.com
So these are not sub-domains that are listed, but domains in their own right.
Their common denominator is that they are all protected by this one SSL
certificate.
It wouldn't surprise me if all these domains were housed in one Web server
that is using this same certificate for all its serviced domains.
References :
- Digicert Multi-Domain (SAN) Certificates
- Wikipedia Subject Alternative Name
answered 2 days ago
harrymc
247k10255542
But they have the same base domain though. Why include mail.example.com, img.example.com and *.example.com in the SAN field? The *.example.com already covers the mail and img subdomains. In the the image posted in the question (thanks), shows the all the subdomains and the wildcard too. Isn't it redundant?
– kiiler
2 days ago
That someone was me. It's true that this is a bit wasteful and could be done with*.example.com, but this is an internal decision of the site administrator. Maybe some obscure browser they need to support does not do wildcards, or maybe the administrator just overdid it "for good measure". In any case, this might not be elegant, but it works for them. Their website needs to work on many devices and many browsers, and works well, so we can't fault their work without full knowledge of the circumstances.
– harrymc
2 days ago
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
The type of the certificate you see is called "Multi-Domain SSL Certificate".
These SSL certificates protect different domains with a single certificate, using the SAN extension. For this reason, these certificates are often referred to as SAN certificates.
SAN names are generally not required to belong to the same domain. In other words, it’s perfectly fine for a certificate to cover a list of names like the following:
example.com
www.example.com
foo.bar.hello.com
another.domain.com
So these are not sub-domains that are listed, but domains in their own right.
Their common denominator is that they are all protected by this one SSL
certificate.
It wouldn't surprise me if all these domains were housed in one Web server
that is using this same certificate for all its serviced domains.
References :
- Digicert Multi-Domain (SAN) Certificates
- Wikipedia Subject Alternative Name
answered 2 days ago
harrymc
247k10255542
But they have the same base domain though. Why include mail.example.com, img.example.com and *.example.com in the SAN field? The *.example.com already covers the mail and img subdomains. In the the image posted in the question (thanks), shows the all the subdomains and the wildcard too. Isn't it redundant?
– kiiler
2 days ago
That someone was me. It's true that this is a bit wasteful and could be done with*.example.com, but this is an internal decision of the site administrator. Maybe some obscure browser they need to support does not do wildcards, or maybe the administrator just overdid it "for good measure". In any case, this might not be elegant, but it works for them. Their website needs to work on many devices and many browsers, and works well, so we can't fault their work without full knowledge of the circumstances.
– harrymc
2 days ago
add a comment |
up vote
0
down vote
The type of the certificate you see is called "Multi-Domain SSL Certificate".
These SSL certificates protect different domains with a single certificate, using the SAN extension. For this reason, these certificates are often referred to as SAN certificates.
SAN names are generally not required to belong to the same domain. In other words, it’s perfectly fine for a certificate to cover a list of names like the following:
example.com
www.example.com
foo.bar.hello.com
another.domain.com
So these are not sub-domains that are listed, but domains in their own right.
Their common denominator is that they are all protected by this one SSL
certificate.
It wouldn't surprise me if all these domains were housed in one Web server
that is using this same certificate for all its serviced domains.
References :
- Digicert Multi-Domain (SAN) Certificates
- Wikipedia Subject Alternative Name
answered 2 days ago
harrymc
247k10255542
But they have the same base domain though. Why include mail.example.com, img.example.com and *.example.com in the SAN field? The *.example.com already covers the mail and img subdomains. In the the image posted in the question (thanks), shows the all the subdomains and the wildcard too. Isn't it redundant?
– kiiler
2 days ago
That someone was me. It's true that this is a bit wasteful and could be done with*.example.com, but this is an internal decision of the site administrator. Maybe some obscure browser they need to support does not do wildcards, or maybe the administrator just overdid it "for good measure". In any case, this might not be elegant, but it works for them. Their website needs to work on many devices and many browsers, and works well, so we can't fault their work without full knowledge of the circumstances.
– harrymc
2 days ago
add a comment |
up vote
0
down vote
up vote
0
down vote
The type of the certificate you see is called "Multi-Domain SSL Certificate".
These SSL certificates protect different domains with a single certificate, using the SAN extension. For this reason, these certificates are often referred to as SAN certificates.
SAN names are generally not required to belong to the same domain. In other words, it’s perfectly fine for a certificate to cover a list of names like the following:
example.com
www.example.com
foo.bar.hello.com
another.domain.com
So these are not sub-domains that are listed, but domains in their own right.
Their common denominator is that they are all protected by this one SSL
certificate.
It wouldn't surprise me if all these domains were housed in one Web server
that is using this same certificate for all its serviced domains.
References :
- Digicert Multi-Domain (SAN) Certificates
- Wikipedia Subject Alternative Name
answered 2 days ago
harrymc
247k10255542
The type of the certificate you see is called "Multi-Domain SSL Certificate".
These SSL certificates protect different domains with a single certificate, using the SAN extension. For this reason, these certificates are often referred to as SAN certificates.
SAN names are generally not required to belong to the same domain. In other words, it’s perfectly fine for a certificate to cover a list of names like the following:
example.com
www.example.com
foo.bar.hello.com
another.domain.com
So these are not sub-domains that are listed, but domains in their own right.
Their common denominator is that they are all protected by this one SSL
certificate.
It wouldn't surprise me if all these domains were housed in one Web server
that is using this same certificate for all its serviced domains.
References :
- Digicert Multi-Domain (SAN) Certificates
- Wikipedia Subject Alternative Name
answered 2 days ago
harrymc
247k10255542
answered 2 days ago
harrymc
247k10255542
answered 2 days ago
harrymc
247k10255542
answered 2 days ago
harrymc
247k10255542
247k10255542
But they have the same base domain though. Why include mail.example.com, img.example.com and *.example.com in the SAN field? The *.example.com already covers the mail and img subdomains. In the the image posted in the question (thanks), shows the all the subdomains and the wildcard too. Isn't it redundant?
– kiiler
2 days ago
That someone was me. It's true that this is a bit wasteful and could be done with*.example.com, but this is an internal decision of the site administrator. Maybe some obscure browser they need to support does not do wildcards, or maybe the administrator just overdid it "for good measure". In any case, this might not be elegant, but it works for them. Their website needs to work on many devices and many browsers, and works well, so we can't fault their work without full knowledge of the circumstances.
– harrymc
2 days ago
add a comment |
But they have the same base domain though. Why include mail.example.com, img.example.com and *.example.com in the SAN field? The *.example.com already covers the mail and img subdomains. In the the image posted in the question (thanks), shows the all the subdomains and the wildcard too. Isn't it redundant?
– kiiler
2 days ago
That someone was me. It's true that this is a bit wasteful and could be done with*.example.com, but this is an internal decision of the site administrator. Maybe some obscure browser they need to support does not do wildcards, or maybe the administrator just overdid it "for good measure". In any case, this might not be elegant, but it works for them. Their website needs to work on many devices and many browsers, and works well, so we can't fault their work without full knowledge of the circumstances.
– harrymc
2 days ago
But they have the same base domain though. Why include mail.example.com, img.example.com and *.example.com in the SAN field? The *.example.com already covers the mail and img subdomains. In the the image posted in the question (thanks), shows the all the subdomains and the wildcard too. Isn't it redundant?
– kiiler
2 days ago
But they have the same base domain though. Why include mail.example.com, img.example.com and *.example.com in the SAN field? The *.example.com already covers the mail and img subdomains. In the the image posted in the question (thanks), shows the all the subdomains and the wildcard too. Isn't it redundant?
– kiiler
2 days ago
That someone was me. It's true that this is a bit wasteful and could be done with
*.example.com, but this is an internal decision of the site administrator. Maybe some obscure browser they need to support does not do wildcards, or maybe the administrator just overdid it "for good measure". In any case, this might not be elegant, but it works for them. Their website needs to work on many devices and many browsers, and works well, so we can't fault their work without full knowledge of the circumstances.– harrymc
2 days ago
That someone was me. It's true that this is a bit wasteful and could be done with
*.example.com, but this is an internal decision of the site administrator. Maybe some obscure browser they need to support does not do wildcards, or maybe the administrator just overdid it "for good measure". In any case, this might not be elegant, but it works for them. Their website needs to work on many devices and many browsers, and works well, so we can't fault their work without full knowledge of the circumstances.– harrymc
2 days ago
add a comment |
kiiler is a new contributor. Be nice, and check out our Code of Conduct.
kiiler is a new contributor. Be nice, and check out our Code of Conduct.
kiiler is a new contributor. Be nice, and check out our Code of Conduct.
kiiler is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375596%2fwhy-would-a-website-include-both-subdomains-and-a-wildcard-in-san-field%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Most likely they had individual entries, then came back and added a wildcard and didn't remove the specific individual entries (either due to an oops, or maybe there was a Nagios/etc monitor looking for api.xda-developers.com in the SAN and they didn't want to update it)
– bartonjs
yesterday