====== Scenario 3.5: Issue Wildcard Certificate ======
**Category:** [[.:start|Issue Certificates]] \\
**Complexity:** **** (High) \\
**Prerequisites:** Domain control, Intermediate CA \\
**Estimated Time:** 15-20 minutes
----
===== Description =====
This scenario describes issuing a **wildcard certificate** (''*.example.com''). Wildcard certificates secure all subdomains of a domain with a single certificate.
**Advantages:**
* One certificate for all subdomains
* Easier management
* More cost-effective
**Disadvantages:**
* Higher risk if compromised
* Does not cover root domain
* Only one level
----
===== Wildcard Rules =====
^ Pattern ^ Covers ^ Does NOT cover ^
| ''*.example.com'' | www.example.com, api.example.com | example.com, sub.api.example.com |
| ''*.api.example.com'' | v1.api.example.com | api.example.com |
**Important:** ''*.example.com'' does NOT cover ''example.com'' (without subdomain)! Always add both as SAN.
----
===== Code Example (C#) =====
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
using var ctx = PqCryptoContext.Initialize();
var caCert = ctx.LoadCertificate("intermediate-ca.crt.pem");
var caKey = ctx.LoadPrivateKey("intermediate-ca.key.pem", "CaPassword!");
// Key pair for wildcard
using var wildcardKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65);
var dn = new DnBuilder()
.AddCN("*.example.com")
.AddO("Example GmbH")
.AddC("DE")
.Build();
// Create CSR
var csr = ctx.CreateCertificateRequest(
wildcardKey, dn,
new ExtBuilder()
// Wildcard + root domain
.SubjectAlternativeName(new[] {
"dns:*.example.com",
"dns:example.com"
})
.Build()
);
// Issue wildcard certificate
var wildcardCert = ctx.IssueCertificate(
csr,
issuerCert: caCert,
issuerKey: caKey,
serialNumber: ctx.GenerateSerialNumber(),
validDays: 365,
extensions: new ExtBuilder()
.BasicConstraints(ca: false, critical: true)
.KeyUsage(KeyUsageFlags.DigitalSignature | KeyUsageFlags.KeyEncipherment)
.ExtendedKeyUsage(ExtKeyUsage.ServerAuth)
.SubjectKeyIdentifier(csr.PublicKey)
.AuthorityKeyIdentifier(caCert)
.CrlDistributionPoint("http://crl.example.com/intermediate.crl")
.Build()
);
wildcardCert.ToPemFile("wildcard.crt.pem");
wildcardKey.ToEncryptedPemFile("wildcard.key.pem", "SecurePassword!");
----
===== Multi-Level Wildcard =====
For multiple subdomain levels, combine multiple wildcards:
.SubjectAlternativeName(new[] {
"dns:example.com",
"dns:*.example.com", // www, api, app, etc.
"dns:*.dev.example.com", // dev1.dev, dev2.dev, etc.
"dns:*.staging.example.com" // staging environments
})
----
===== Security Notes =====
**Risks of Wildcard Certificates:**
* Compromise affects ALL subdomains
* Private key needed in multiple locations
* Revocation affects all services
**Best Practices:**
* Store private key centrally (HSM)
* Short validity (max. 1 year)
* Separate wildcard certificates for Prod/Dev/Staging
* Monitoring for all subdomains
----
===== Related Scenarios =====
^ Relationship ^ Scenario ^ Description ^
| **Alternative** | [[.:server_cert|3.1 Server Certificate]] | Single certificate |
| **Alternative** | [[en:int:pqcrypt:szenarien:csr:csr_multi_san|2.3 Multi-SAN CSR]] | Explicit SANs |
| **Next Step** | [[en:int:pqcrypt:szenarien:tls:server_setup|10.1 TLS Server]] | Deployment |
----
<< [[.:smime_cert|<- 3.4 S/MIME Certificate]] | [[.:start|^ Certificates Overview]] | [[en:int:pqcrypt:szenarien:verwaltung:start|4. Manage Certificates ->]] >>
{{tag>scenario certificate wildcard subdomain tls}}
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//