How to Check if an SSL Certificate Supports Wildcard Subdomains Using Browser Inspection


2 views

When integrating third-party services or configuring load balancers, developers often need to verify whether a website's SSL certificate supports wildcard subdomains (*.example.com). Here's a technical deep dive into manual verification methods.

The most reliable method is examining the certificate's SAN extension. Wildcard certificates will explicitly list a wildcard pattern:

openssl x509 -in certificate.crt -text -noout | grep "DNS:"

Example output showing wildcard support:

DNS:*.example.com, DNS:example.com

For quick checks without server access:

  1. Click the padlock icon in Chrome/Firefox
  2. Select "Certificate" or "View Certificate"
  3. Navigate to "Details" tab
  4. Look for "Subject Alternative Name" field

For automation scripts or CI/CD pipelines:

#!/bin/bash

cert=$(openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -text)

if [[ $cert =~ "DNS:\*" ]]; then
    echo "Wildcard certificate detected"
else
    echo "No wildcard support found"
fi

Valid wildcard formats include:

  • Single-level: *.example.com (covers blog.example.com but not dev.blog.example.com)
  • Multi-level: *.*.example.com (less common, requires specific CA policies)

Be aware that some certificates may include:

  • Mixed entries: Both specific and wildcard domains
  • Invalid wildcards: Some CAs issue *.example.com certificates that technically only cover one subdomain level
  • Expired wildcards: The certificate might have previously supported wildcards but was renewed without them

For Node.js applications:

const tls = require('tls');
const socket = tls.connect(443, 'example.com', { servername: 'example.com' }, () => {
  const cert = socket.getPeerCertificate();
  const hasWildcard = cert.subjectaltname.includes('DNS:*.example.com');
  console.log(Wildcard support: ${hasWildcard});
  socket.end();
});

The quickest way to check wildcard support is by examining the certificate details in your browser:


1. Click the padlock icon in the address bar
2. Select "Certificate" or "View Certificate"
3. Look for "Subject Alternative Name" (SAN) field
4. Check for entries starting with "*." (e.g., *.example.com)

For a more technical approach, use OpenSSL to inspect the certificate:


openssl s_client -connect example.com:443 -servername example.com | \
openssl x509 -noout -text | grep "DNS:"

This will show all domain patterns the certificate covers. Wildcard entries will appear as "DNS:*.example.com".

Here's a Python script to check wildcard support programmatically:


import ssl
import socket
import OpenSSL

def check_wildcard(hostname):
    cert = ssl.get_server_certificate((hostname, 443))
    x509 = OpenSSL.crypto.load_certificate(
        OpenSSL.crypto.FILETYPE_PEM, cert)
    
    extensions = [
        x509.get_extension(i)
        for i in range(x509.get_extension_count())
    ]
    
    for ext in extensions:
        if ext.get_short_name() == b'subjectAltName':
            san = str(ext)
            return any(d.startswith('*.') for d in san.split(', '))
    
    return False

Key fields indicating wildcard support:

  • Subject Common Name: May contain *.domain
  • Subject Alternative Names: Most reliable indicator
  • Certificate Type: Wildcard certificates are typically DV or OV

Recognize these common wildcard formats:


*.example.com - First-level subdomains only
*.*.example.com - Multi-level subdomains (rare)
example.com - Includes bare domain