10-19-2017 02:51 PM
I have a customer who has a wildcard certificate. Let's says it's:
*.bar.com
They have ISE implemented in multiple SubDomains so lets say they have:
ise1.foo.bar.com
Would *.bar.com match on hosts in the foo.bar.com subdomain? I've looked all over the place on the internet and the guidance in many places is completely unclear. We are trying to chase if this is a bug or not.
Solved! Go to Solution.
10-19-2017 03:00 PM
No you would need to have a wildcard *.foo.bar.com<http://foo.bar.com>
And this would be best practice as well because if this was compromised you could revoke it and not. Have to revoke foo.com<http://foo.com>
No bug here
Sent from my iPhone
10-19-2017 02:59 PM
No, I do not think it would work. The wildcard certificates need the specific subdomains in them to allow the hostname/FQDN match.
Can I Create a *.subdomain.domain.com Wildcard? How About *.*.subdomain.com? - SSL.com has more info.
10-19-2017 03:00 PM
No you would need to have a wildcard *.foo.bar.com<http://foo.bar.com>
And this would be best practice as well because if this was compromised you could revoke it and not. Have to revoke foo.com<http://foo.com>
No bug here
Sent from my iPhone
10-20-2017 08:03 AM
Hey Moses,
How-to 103 guide, on page 16 of 29.
"””
If you configure a Wildcard Certificate to use *.securitydemo.net, that same certificate may be used to secure any host
whose DNS name ends in “.securitydemo.net”, such as:
• aaa.securitydemo.net
• psn.securitydemo.net
• mydevices.securitydemo.net
• sponsor.securitydemo.net
A wildcard is only valid in the host field of the fully qualified domain name (FQDN). In other words,
*.securitydemo.net would not match ise.aaa.securitydemo.net, because the wildcard value was not in the host portion
of the FQDN.
"“”
hope this helps
10-20-2017 09:15 AM
Jason,
Appreciate it. Here is what I can tell from different sources on the internet, of which few are clear:
- The SSL Certificates for a *.domain.tld does not match subdomains such that *.*.domain.tld wouldn't work.
- You can try and use a UCC Cert or SAN Cert to attempt to do:
*.domain.tld
*.subdomain.domain.tld
*.subdomain2.domain.tld
However this may be rather expensive, and or not efficient.
- Customer has another option to dedicate a seperate interface (eth1) for the guest portal and provide a DNS name (which can be served by the local dns server) such that the guest portal appears to come from *.domain.tld
Thanks for the guidance everyone.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide