An In-Depth Look at Why a Wildcard SSL Certificate Causes a Domain Mismatch Error on a Second Level Subdomain
We know, you’re here because your wildcard SSL is not working on a second level subdomain for some reason. To help you understand why, we first need to tell you a bit about wildcard SSL certificates and what they do and don’t secure. The digital certificate industry is, at times, needlessly opaque about what its products actually do. The wildcard is one of the biggest offenders. It’s often marketed as securing “unlimited subdomains.” And that’s partially true — with one important caveat:
Wildcard SSL certificates secure unlimited subdomains at ONE domain level.
How a Wildcard SSL Certificate Works
Let’s look at the construction of a URL:
When you get a wildcard issued, you place a wildcard character (*) at the subdomain level you’re securing. Generally, it occurs on the first level. The problem is if your first-level subdomain has its own subdomain, which is called a second-level subdomain, you can’t use your wildcard on it. After all, as we stated earlier, the wildcard only works at one URL level.
If you DO try to install the wildcard on a subdomain at a level that’s not designated, you’re going to get a domain mismatch error.
Again, wildcard SSL certificates ONLY secure subdomains on the designated level.
Your issue is that your wildcard SSL isn’t working for the subdomains you need. So, how do you fix the domain mismatch error and secure your second-level subdomains?
You’re going to need to get creative. And, frankly, this is where a wildcard can be found wanting. That’s because securing subdomains past the first level becomes even more complicated.
Let’s say we have two first-level sub-domains, each with their own second-level sub-domain. Those second levels are exclusive to the first-level subdomain they’re tacked on to. So, you can’t just use a wildcard and secure ALL of those second-level subdomains at once. Rather, you’d need to use two wildcard SSL certificates, each listing the domain as well as the first-level sub-domain the second level one is associated with.
That’s going to add up pretty quickly. And securing them using individual certificates is also going to run up quite a tab —not to mention be a pain in the butt to manage manually.
So, when your wildcard SSL is not working on the subdomain level for the reasons we’ve listed, how can you address the issue most effectively?
Use Multi Domain Wildcard SSL to Fix Your Wildcard Domain Mismatch Error
This is a good use-case for a multi domain wildcard SSL certificate, which can encrypt up to 250 different domains with wildcard functionality. A multi domain wildcard can also act as a multi-level wildcard, giving you a chance to list the different permutations and secure all the various sub-domains at all levels of your URL. This is both the most cost-effective and convenient solution.
The only drawback is there’s not an extended validation (EV) variant – meaning that you can only secure your domain using domain validation (DV) or organization validation (OV). But if you’re using a wildcard already, that’s likely not news to you.
There’s also some risk associated with using the same key pair across multiple web spaces, owing to a type of parallel brute force attack that can crack keys. Perfect Forward Secrecy helps mitigate some of the risk, but again, if you were already using wildcards, you’re undoubtedly already aware of this.
Purchase a Multi Domain Wildcard Certificate & Save Up to 84%
We offer the best discount on all types of Multi Domain Wildcard SSL Certificates, including PositiveSSL, Comodo CA, and Sectigo Multi-Domain Wildcard SSL certificates.