Some Trouble with Wildcard SSL Certificates, FireFox and RFC2818
When working on a non-finance website recently, the client wanted to include the username as the subdomain, to give the user more of a sense of "my site." So, Fred gets https://fred.foo.com as his address.
The client purchased a very expensive (US$500) "Wildcard SSL Certificate" for https://*.foo.com and it works fine.
Some trouble happened when a staging site was introduced. Now we're looking at https://fred.staging.foo.com for the URL.
This works fine in FireFox 2 as seen in this screenshot:
But IE7 really doesn't like it. Your first reaction might be to get mad at IE7, "those jerks! They never follow the spec."
However, according to RFC2818 with emphasis mine (Thanks Eric Lawrence!):
Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.
When I visit *.foo.com with IE7, it works fine, per spec.
My conclusion here is that FireFox 2 is out of spec with RFC2818. I wonder if this is known by the FireFox team? Am I missing something?
In our case, we'll need to either have wildcard certificate that covers both *.foo.com and *.staging.foo.com (the latter in the SubjectAltName field). If a CA won’t issue us such a certificate for whatever reason, we'll need to buy two different wildcard certificates ($$), and also host staging.foo.com on a different port or IP address, since the Server Name Indicator TLS extension is not broadly available at this point, and hence you cannot reliably use two different certificates for the same endpoint. Again, thanks to EricL for helping explain this.