Slightly off-topic: what's a good way to handle cases such as this where you have a wildcard certificate?
I'll be getting a wildcard certificate for a project and, never having used one before, I had assumed the certificate would be valid for an entire domain.
Assuming that to be the case, is having a wildcard certificate for *.example.com and a second certificate for example.com the solution? It'd be nice to have the entire domain covered by a wildcard certificate and not just all subdomains.
With RapidSSL if you order a cert for www.domain.com then it will also cover domain.com. But if you order a cert for domain.com or sub.domain.com then it will NOT secure the www.domain.com.
So basically make sure your CSR request is for www.domain.com if you want to also secure the root domain.
Bizarrely, this only works for second-level domains however, and isn't disclosed in advance.
Really, CAs shouldn't be throwing in "free bonus" SANs without customer authorization ever. It would be much better to have a place to enter the SANs, or a checkbox asking if I want "www." as well, or to apply to the parent also, or whatever. That would also make the process more apparent to the user in addition to being more secure.
Not all that off-topic. For your example, you should get a certificate made out to ("Subject CN") example.com or * .example.com, then list both the wildcard and the subdomainless entry as Subject Alternative Names.
I'll be getting a wildcard certificate for a project and, never having used one before, I had assumed the certificate would be valid for an entire domain.
I understand from this situation that a wildcard certificate is relevant only to https://*.example.com and not the subdomainless https://example.com.
Assuming that to be the case, is having a wildcard certificate for *.example.com and a second certificate for example.com the solution? It'd be nice to have the entire domain covered by a wildcard certificate and not just all subdomains.