Here's our situation (sanitized):
- We have a wildcard certificate for *.foo.com -- CA is "Primary CA"
- We are considering adding a vendor's SaaS. Our requirements state the vendor SaaS site URL should be bar.foo.com.
- While we could issue a separate wildcard certificate *.foo.com from "Primary CA" specifically for this vendor's SaaS site, the vendor at this time is not ready to support hosting that separate wildcard certificate. Instead, the vendor will themselves arrange for a site-specific SSL certificate for bar.foo.com -- quite potentially from a CA other than "Primary CA".
- Our current concept is to pass information between two sites using cookies as well as JavaScript calls:
- www.foo.com with the above-mentioned wildcard certificate from "Primary CA"
- bar.foo.com with the vendor-provided site-specific SSL certificate -- most likely from another CA
Questions:
- In theory, bar.foo.com should be covered by the wildcard certificate. Will this cause browsers to reject the vendor-provided site-specific certificate for bar.foo.com?
- Given the certificates for www.foo.com and bar.foo.com will be coming from two CAs, will we be able to pass cookies and use JavaScript calls between the two sites without browsers complaining about cross-site problems, same-origin problems, etc.?
Thank you for your help.
