Why can't I get a wildcard EV certificate?

January 25, 2020

The short answer: bankofamerica.com-fraud.ph

an image

By Mike on 15th March 2015

A frequent request we get from new customers is:

Can I have a wildcard EV certificate?

The short answer: No. The rules for EV certificates, made by the browser vendors and CAs, prevent CAs from issuing EV certificates for wildcards.

OK, but why can't I have a wildcard EV certificate?

Excellent question. If you read around the Internet, you'll get answers like this from Network Solutions :

in order to ensure that EV HTTPS Certificates are not issued fraudulently or misused after issuance

Wow. That was incredibly vague. Let's be specific:

Server names are evaluated from left to right - eg, bankofamerica.com is 'bankofamerica' which is underneath 'com' (the 'commercial' domain name). Email phishing attacks typically use hosts which looks like they're in one domain, but actually under another. Think of bankofamerica.com-fraud.ph. In this case 'bankofamerica' is underneath 'com-fraud.ph', which is located in the Philipines.

With DV certificates

  • com-fraud.ph applies for and receives a wildcard SSL certificate for *.com-fraud.ph. The CA confirms they are really the domain com-fraud.ph.
  • A short time later, com-fraud.ph adds a host (server) under com-fraud.ph called bankofamerica.
  • com-fraud.ph sends out emails directing people to visit bankofamerica.com-fraud.ph.
  • Browsers dutifully show https:// in green, since the web users has an encrypted connection going straight to the bad guys at com-fraud.ph

an image

With EV

There are no wildcard certificates for EV certificates. So:

  • All the servers in the certificate are explicitly mentioned. The CA (who verifies the identity) also ensures that all the server names (properly called Subject Alt Names) actually belong to the company being verified. New server names can be added to the certificate later for a small fee, and these are also reviewed by the CA.
  • You won't ever see bankofamerica.com-fraud.ph with an EV certificate, because the application for the fraudulent subdomain would be reviewed by a CA, that flag the fraud attempt and not validate or sign the certificate.

Hence: it's hard for scammers to do phishing with EV certificates.

Coincidentally: Bank of America now uses an EV certificate, as do most banks.