When is an SSL certificate 'valid' - altnames

Question

I've been using an online SSL checker to check certificate validity for several sites.

One thing I noticed is that many websites have wildcard certificates - especially those hosted on common web hosting sites, such as goDaddy: *.onlinestore.godaddy.com

But those sites have custom domains and so when validating the SSL cert I can see an error where the hostname does not match the altnames listed in the certificate.

But all major browsers (tested chrome, FF, IE and Safari) still show the site as secure. Do the browsers not care that the domain names are not listed in the cert, and isn't that a security vulnerability?

Example: https://www.sslshopper.com/ssl-checker.html#hostname=www.cinnamonmotif.com

It sounds like your online checker is wrong, and since you haven't named it, nor provided a concrete example, this question cannot be answered. — Jonathon Reinhart
As long as the wildcard rule is matched, the certificate is indeed valid. For example for the given certificate, foo.onlinestore.godaddy.com or test.onlinestore.godaddy.com are valid names, but bar.godaddy.com is not. — Alejandro
Example added - and in this case it does not match the wildcard rule listed in the cert — D-Money

Keshav Keshav · Accepted Answer · 2019-02-17T09:31:10

In case a wildcard certificate is installed on a domain, the browser only check the certificate validity and wildcard rule. As long as this rule is true the certificate id trusted and no warning appears.

When is an SSL certificate 'valid' - altnames

2 Answers