Its probably more nuanced than that. If he had a CArtel cert then you would quite happily load all the sub domains. But it is annoying. @erkan could 1. Stump up for a accepted certs. 2. Publish his CA cert and ask people to install that. 3. Start experimenting with some alternate validation method