If we've got multiple domains under a common domain needing SSL certificates, I understand that a wildcard certificate would do the trick.
If we've got multiple subdomains under several domains, then I'd need a certificate (or wildcard certificate, if each has subdomains) for each higher-level domain. But just like you can create a 'CA certificate' or a regular certificate using openssl, if I were to create a CA certificate signing request and buy a CA certificate, would I then be able to use that CA certificate to create certificates for all our domains and subdomains as much as we want?
Some questions about it:
1. If what I've described above is even possible, what's the disadvantage to going with the CA certificate option?
2. Is there any downside, apart from price, with going with a wildcard domain certificate and not two regular certificates - one for domain.com and one for sub.domain.com? (I think I remember reading somewhere wildcards weren't 'official' or something like that...dunno)
Also, what things should I look for when buying a certificate? For example, if I've understood the concept of a 'root' certificate correctly then you want to look for a certificate that has been signed by the top-level certificate authorities rather than signed by an authority that has been signed by a top-level authority.
But when I look at the list of certificate authorities installed by default in Firefox, they all look like top-level authorities. So basically, any certificate that works without warnings in Firefox would work as well as any other?
(I realize that some authorities do a better series of checks to ensure you're legit, but if a client gets no browser warnings for a certificate signed by a company that does rigorous checks vs one that doesn't, then for me I don't consider strength of background checks as being a criteria in my decision.)
You cannot merely buy a 'CA certificate', the closest you could easily come (without jumping through $100k+ of hoops, security, procedure, ISO certification etc.) is to become a reseller.
The whole concept of having a central trusted authority and a clear chain of trust breaks down if they give out certificates to anybody.
A wildcard certificate will work for all direct subdomains of example.com, e.g. derp.example.com and are perfectly valid. If you foresee yourself needing more than about 5 certificates (depending on price) then it's probably better and easier to go with a standard certificate.
Most CAs will let you choose a domain name and a single subdomain for standard certificates, e.g. example.com and secure.example.com, or example.com and www.example.com.