Let's say, that I buy an *.example.com SSL certificate. I want now to generate subcertificates and include the *.example.com certificate in a trust path:
- host1.example.com, with an alternate name rr.example.com
- host2.example.com, with an alternate name rr.example.com
- host3.example.com, with an alternate name rr.example.com
The questions are:
- Will those subcertificates be recognized by the web browsers and another clients if the *.example.com cert is recognized?
- Should I need to regenerate all the subcertificates when the major cert expires, or would I be able to prolong the *.example.com one leaving the rest intact, or issue a new *.example.com and sign my subcertificates with this one?
I'm actually searching for a cheap way to migrate my network from self-signed certificates to the signed ones, that's why every server should have a different certificate and not a shared one. Besides, it should be also easier in maintenance if one of those keys leak.