/
(DC) [CertMgr] Creating a Multi-Domain Certificate that includes a wildcard

(DC) [CertMgr] Creating a Multi-Domain Certificate that includes a wildcard

Description

The articles describes the process to create a Certificate Signing Request (CSR) that can be fed into most tools to create a certificate that will support the use of both a wildcard entries and host-level entries in a single certificate to work together.

This process is being documented due to the misconception that wildcard certificates can contain Subject Alternative Names (SANs).    A standard wild-cart certificate can not contain additional host FQDN or other entries in the SANs field.  Most certificate authorities will just ignore the data in that field.

 

Steps

Scenario:  Need to create a Certificate Signing Request (CSR) that contains both server and root host FQDNs along with a wildcard entry.

Example

  • Root Host = myservice.somedomain.com

  • Wildcard = *.myservice.somedomain.com

  • Server FQDNs = myservice-p01.somedomain.com, myservice-p02.somedomain.com

  1. Create a Certificate Signing Request (CSR)

  2. Set the Common Name (CN) or FQDN is set to the root host (not wildcard), aka: myservice.somedomain.com.

  3. Then include in the SANs field the wildcard entry and the server FQDNs.

Processing CSR

InCommon / Sectigo Certificate Manager

Plug the CSR into the manager with the following settings.

Ensure that all the SANs are showing up properly (see below) and then request the certificate generation.