I have a wilcard certificate such as *.domain.com, I have a server with a dns url of aftab.hussain.domain.com, this configuration fails the CN check, my testing shows that the cert has to be *.hussain.domnain.com. I don’t see a way around this without skipping the check, so will just have to change my cert, just means I need more certificates, rather than just one.
Correct. Wildcard certificates only cover a single wildcard (e.g., .domain.com) not multiple (.*.domain.com).
You should still be able to accomplish this with a single certificate, though. You just may need multiple Subject Alternative Name values on the cert. I’ve read conflicting reports as to whether a DNS name of ..domain.com on a certificate will work with modern browsers or not; you’d have to test it to see if it’s that easy. If not, then you may need to have multiple SANs for each domain (*.domain.com, *.child.domain.com , etc.)
Didn’t realise you could have SANs in a wildcard cert, I’ll give that a try. If it works I’ll update here.