Nor does *.domain.com work for domain.com, correct? Just out of curiosity, do you perceive a trust constrain there (for any real-world situation)?
Charles -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Wednesday, October 24, 2012 11:38 AM To: openssl-users@openssl.org Subject: RE: Wild card SSL; use on multiple Apache servers >From: owner-openssl-us...@openssl.org On Behalf Of Alan Buxey >Sent: Wednesday, 24 October, 2012 03:00 >To: aurfal...@gmail.com; openssl-users@openssl.org >Subject: Re: Wild card SSL; use on multiple Apache servers >The wildcard is for a particular domain (* is value for any host within >it) . If your other server is in a different domain, then it won't >work. Right. Because the CA only verified your control of the domain that it issued the cert for; if you get a cert for fredsmith.com and could use it on a server that impersonates www.amazon.com you could steal billions of dollars from millions of people. And an added point which is not obvious to some people, it's only implemented for one level. *.domain.com works for www.domain.com ftp.domain.com silly.domain.com but NOT www.foo.domain.com . Even though this wouldn't actually violate the trust constraint in any situation I can imagine. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
