An article by Kevin Hale over at Particletree about the pain of dealing with subdomains got me thinking, and I realized I actually have something very applicable and helpful to say on the subject.
I don’t think I have ever written here about the stuff I do 40+ hours a week for DigiCert. I work as Director of Web Development for DigiCert, and there are some things we do that I am pretty proud of. But this is the first time I have been moved to write about it.
Some background on DigiCert, and then I will tie it in with what Kevin wrote. We sell SSL Certificates, which doesn’t mean anything to a lot of people. Here’s the layman’s version: when you go to buy something online, the address will usually start with https instead of http. The “s” stands for “secure,” and it means the data you are submitting is being encrypted by an SSL Certificate.
There are two basic kinds of SSL Certificates: single certificates, which secure one “common name” (one specific fully qualified domain name); and wildcard certificates, which secure every first-level subdomain on a given domain. So for example, with a single certificate, you could secure “www.jeffjsnider.com” OR “mail.jeffjsnider.com” OR “secure.jeffjsnider.com.” A wildcard certificate would be issued to “*.jeffjsnider.com,” which means you could secure all three of those domain names (and as many other first-level subdomains of the “jeffjsnider.com” domain as you wanted).
Wildcard certificates do have one major limitation, though, which Kevin touched on:
One thing that we don’t like is that, since that certificate only works with subdomains, we have to do things like https://secure.wufoo.com/login/ to get an encrypted login url rather than having a simple url like this https://wufoo.com/login/ for our users to follow (and we’ll be damned before having to pay for two different certificates just for this kind of functionality).
The problem is, while a certificate issued to “*.jeffjsnider.com” would secure all those first-level subdomains, it wouldn’t actually secure just “jeffjsnider.com.” More and more of the web is subscribing to the idea that “www” is deprecated, which means it is becoming more and more important to be able to secure the base domain along with any necessary subdomains. As Kevin mentioned, the solution has always been to buy a wildcard certificate for all the subdomains AND a single certificate for the base domain.
There is a little-used (but ridiculously widely supported by browsers) feature of SSL certificates. It is a field called Subject Alternative Name, and it allows multiple common names to be specified. We at DigiCert first put this to use a couple months ago, when we launched our Unified Communications Certificates, designed primarily for use with Microsoft’s Exchange and Live Communication Servers. DigiCert UC Certificates use the Subject Alternative name field to allow the customer to specify up to 50 common names to secure with one certificate.
Well, we were thinking about it, and we realized that the number one complaint about wildcard certificates was exactly what Kevin said: they do great on subdomains, but they miss the boat when it comes to NO subdomain. So we put the Subject Alternative Name to use in a way no one ever had before, and what we came up with was WildCard Plus, a simple and elegant solution to an irksome problem. As of May 14, 2007, every DigiCert WildCard certificate is issued with the base domain in the SubjAltName field, which means your certificate will work not only on all your first-level subdomains, but also on your base domain with no subdomain at all.
Like I said, it’s simple and elegant. And it’s included in the price of a regular WildCard certificate. I love being a part of a company that listens to its customers and develops solutions based on their needs.