Is a DNS redirect a solution to SSL cert errors on unexpected subdomains?

Question

(similar to this question, but with another twist).

IIS 6, if that turns out to be applicable.

So we attained a certificate that was signed for www.foo.com, and of course HTTPS requests for foo.com throw certificate warnings. Some questions:

• Will putting in a DNS CNAME for foo.com requests to point to www.foo.com fix the problem?
• If not, what's the next best method? I've seen wildcard certificates and adding SubjectAlternativeNames to the certificate. Are there pros and cons to each, or are both equally valid?
• Even if the DNS CNAME addition will work, is it the "right" method?

Answer 1

The DNS CNAME won't work--- the browser verifies the hostname given in the URL against the certificate, and isn't interested in whether the hostname is resolved by following a CNAME to somewhere else.

I'm not sure if CAs issue wildcard certificates much, or what the support for them is. If the CA is prepared to do it, creating a cert with foo.com as a SubjectAlternativeName is an option. I think browser support for that is widespread now.