Sie befinden sich hier: start » en » Internal Documentation » WvdS Crypto Library » 6. Scenarios » 3. Issue Certificates » Scenario 3.5: Issue Wildcard Certificate

Inhaltsverzeichnis

Scenario 3.5: Issue Wildcard Certificate

Category: Issue Certificates
Complexity: (High)
Prerequisites: Domain control, Intermediate CA
Estimated Time: 15-20 minutes

Description

This scenario describes issuing a wildcard certificate (*.example.com). Wildcard certificates secure all subdomains of a domain with a single certificate.

Advantages:

  • One certificate for all subdomains
  • Easier management
  • More cost-effective

Disadvantages:

  • Higher risk if compromised
  • Does not cover root domain
  • Only one level

Wildcard Rules

Pattern Covers Does NOT cover
*.example.com www.example.com, api.example.com example.com, sub.api.example.com
*.api.example.com v1.api.example.com api.example.com

Important: *.example.com does NOT cover example.com (without subdomain)! Always add both as SAN.

Code Example (C#)

using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
 
using var ctx = PqCryptoContext.Initialize();
 
var caCert = ctx.LoadCertificate("intermediate-ca.crt.pem");
var caKey = ctx.LoadPrivateKey("intermediate-ca.key.pem", "CaPassword!");
 
// Key pair for wildcard
using var wildcardKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65);
 
var dn = new DnBuilder()
    .AddCN("*.example.com")
    .AddO("Example GmbH")
    .AddC("DE")
    .Build();
 
// Create CSR
var csr = ctx.CreateCertificateRequest(
    wildcardKey, dn,
    new ExtBuilder()
        // Wildcard + root domain
        .SubjectAlternativeName(new[] {
            "dns:*.example.com",
            "dns:example.com"
        })
        .Build()
);
 
// Issue wildcard certificate
var wildcardCert = ctx.IssueCertificate(
    csr,
    issuerCert: caCert,
    issuerKey: caKey,
    serialNumber: ctx.GenerateSerialNumber(),
    validDays: 365,
    extensions: new ExtBuilder()
        .BasicConstraints(ca: false, critical: true)
        .KeyUsage(KeyUsageFlags.DigitalSignature | KeyUsageFlags.KeyEncipherment)
        .ExtendedKeyUsage(ExtKeyUsage.ServerAuth)
        .SubjectKeyIdentifier(csr.PublicKey)
        .AuthorityKeyIdentifier(caCert)
        .CrlDistributionPoint("http://crl.example.com/intermediate.crl")
        .Build()
);
 
wildcardCert.ToPemFile("wildcard.crt.pem");
wildcardKey.ToEncryptedPemFile("wildcard.key.pem", "SecurePassword!");

Multi-Level Wildcard

For multiple subdomain levels, combine multiple wildcards: 

.SubjectAlternativeName(new[] {
    "dns:example.com",
    "dns:*.example.com",          // www, api, app, etc.
    "dns:*.dev.example.com",      // dev1.dev, dev2.dev, etc.
    "dns:*.staging.example.com"   // staging environments
})

Security Notes

Risks of Wildcard Certificates:

  • Compromise affects ALL subdomains
  • Private key needed in multiple locations
  • Revocation affects all services

Best Practices:

  • Store private key centrally (HSM)
  • Short validity (max. 1 year)
  • Separate wildcard certificates for Prod/Dev/Staging
  • Monitoring for all subdomains
Relationship Scenario Description
Alternative 3.1 Server Certificate Single certificate
Alternative 2.3 Multi-SAN CSR Explicit SANs
Next Step 10.1 TLS Server Deployment

« <- 3.4 S/MIME Certificate | ^ Certificates Overview | 4. Manage Certificates -> »

, , , ,

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional

Zuletzt geändert: on 2026/01/30 at 12:37 AM

Seiten-Werkzeuge