My firm has a DigiCert wildcard certificate which we purchased to cover a number of purposes for our single site needs, but the most important of these are:
- On Premise Exchange 2010
- Check Point VPN (Mobile Access SNX)
When I was doing the research for what certificate type to buy rather than a UCC style cert (UCC gets you get 4 Subject Alternate Names for a set price and add on cost per additional SAN)
When I realized that the Digicert Wildcard cert allowed you to not only have unlimited hosts at the hierarchical level of the wildcard itself:
It is pretty straightforward that a wildcard CN of "*.contoso.com" covers:
- and so on
But you can also request blocks of 10 fully qualified Subject Alternate Names at any hierarchical level deeper than that
- etc etc....
This proved to be economically a home run for us, as we had a number of devices that require legitimate certificates in order to have their management GUIs not be a total pain in the keister. (I did not want to bother with setting up an AD managed CA and use GPO to push the certs to the browsers, blah blah blah)
The question is, if our current SNX vpn fully qualified hostname is vpn.contoso.com and currently a SAN from our (soon to expire) UCC cert is working fine with it, will a wildcard cert with a CN of *.contoso.com work with it?
Also, how do I generate the CSR properly?
Do I need to request the duplicate certificate with vpn.contoso.com in the list of SANs? does that even matter in this case?