This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 90%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELR%3C/text%3E%3C/svg%3E)
Hi
Just a problem
We have a domain CA (a root CA which is offline and a sub CA which is domain joined) based on windows server .
An external customer is asking for a wildcard cert.
My question is:
(Please read the domain correctly, I have to format them wrongly, otherwise it will not be shown here)
(asterix).domain.com
(asterix).uat.domain.com
(asterix).prod.domain.co
Are (in this example) uat and prod subdomains included in the wildcard certificate of (asterix).domain.com? Or is the Microsoft CA wildcard ONLY vaild for #(asterix).domain.com and if I want to cover (asterix).uat.doman.com" too I will need this to included this into the SAN as well?
About this I cannot find any information
Best
Lutz
Or is the Microsoft CA widlcard ONLY vaild for .domain.com and if I want to cover *.uat.doman.com too I will need this to included this into the SAN as well?
it is not Microsoft CA-specific. It is RFC standard. Wildcard covers only one level and wildcard can appear only once in domain name and must be leftmost part of domain name. That is, *.domain.com:
will cover:
uat.domain.com prod.domain.comdon't cover:
*.uat.domain.com *.prod.domain.comYou have to include all three names in SAN.