A friend asked:
If I bought a wildcard certificate for *.domain.com, wouldn’t that cover
*.sub.domain.com?
Hrm…I had to look that one up. The answer is: no, not accorindg to the RFC. RFC 2818 states:
Matching is performed using the matching rules specified by
[RFC2459]. If more than one identity of a given type is present in
the certificate (e.g., more than one dNSName name, a match in any one
of the set is considered acceptable.) Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment. E.g., *.a.com matches foo.a.com but
not bar.foo.a.com. f*.com matches foo.com but not bar.com.
more here: http://www.ietf.org/rfc/rfc2818.txt
There are reports that older versions of Firefox don’t complain when encountering an out of spec sub-domain SSL wild-card but IE would. I would recommending sticking with the RFC spec.