Resolved: SSL Certificate Valid on Site not Starting “www” But Invalid on Site Starting With “www”

Question:

I have a site hosted on a remote server on IIS that has two ‘https’ bindings that are secured with the same SSL certificate. The first binding is https://example.local.com and the second https://www.example.local.com. On my local pc I have added the site (1.1.1.1 example.local.com www.example.local.com) to the Hosts file and added the certificate to the Trusted Root Certificates Authorities location.
When creating the certificate, this is the command that I ran on powershell,
The issue is that when I load the site without the ‘www’ the result is ok:

But when i load the site with the ‘www’ the result is an insecure site.

When i click on the certificate and check the details, I can see that the subject value is:
and the value under the Subject Alternative Names is:
I would guess a simple alteration to the certificate creation command would solve this problem that I am having but I don’t know for sure. Any ideas?

Answer:

As you guessed, this issue is happening because of the certificate. If you want to secure both local.example.com and www.local.example.com, you’d need to issue the certificate with the following:
Unfortunately, it’s not possible to create a certificate that can secure www.anything.local.com, however you can include multiple subdomains if you wish by specifying additional *.subdomain.local.com.
RFC6125 details the following:

If a client matches the reference identifier against a presented identifier whose DNS domain name portion contains the wildcard character ‘*’, the following rules apply: The client SHOULD NOT attempt to match a presented identifier in which the wildcard character comprises a label other than the left-most label (e.g., do not match bar.*.example.net).

The wildcard character MUST appear at the very start (left most part) of the DNS name part.

If you have better answer, please add a comment about this, thank you!