I think it was a self signed SSL.
Not all SSLs are domain specific. There’s wildcard domains (used for subdomains or related domains), and self signed domains, and probably more.
Think like… A liquor store in the middle of nowhere that transmits CC data via internet. They have a SSL. They don’t necessarily even have a registered domain.
Self-signed certs are not viable for general use because they’ll generate a browser warning that “Joes Liquor Co is not a trusted Certificate Authority” that will scare off 99% of users. And wildcard certs still need at least one specific domain, e.g. *.joesliquor.com
. The only way I can imagine this working is if the vendor was handing out separate servers on client.vendor.com
and giving each of them the same SSL cert for *.vendor.com
.
We would do the implementations. It would include Tomcat, IIS, and an out of date version of Internet Explorer. Beyond that, I’m not sure how they were getting by the warnings. All I can tell you is we were issuing one SSL certificate to multiple clients, and that SSL cert lived on our FTP server which had a very weak password.