marzelin
marzelin

Reputation: 11610

wildcard SSL/TLS certificate for second-level domain rejected by browsers

I'm trying to create certificate for both test and *.test. I'm using minica to generate it and everything goes well (alt names are added):

X509v3 Subject Alternative Name:
                DNS:*.test, DNS:test

(and CA certificate is added to browsers' trusted root certification authorities store) but the certificate is rejected by both chrome and firefox.

Upvotes: 1

Views: 1146

Answers (1)

marzelin
marzelin

Reputation: 11610

Although you can create a valid certificate for second-level domain or even top level domain those certificates won't be respected by the browsers for security reasons (i.e. certificate for *.com would be very dangerous). So even though test is a reserved domain name that can't be registered by any registrar, the certificate will be rejected.

When you try to do this with mkcert you'll get pretty nice warning:

Warning: many browsers don't support second-level wildcards like *.test ⚠️

Use i.e. app.test + *.app.test instead.

Upvotes: 1

Related Questions