Hi Fulvio, thanks for the reply.
I have to turn on the “Use CN to redirect” flag as without this, the Captive Portal builds the redirect URL using the IP address of the interface on which it is running, and not a hostname. You can’t get a commercial SSL certificate for an IP address!
As for the “Subject Alternative Name” attribute, this is also not feasable with a commercial SSL certificate. The whole idea of wildcard certificates is not having to know in advance the names of all the hosts that will be covered by the certificate. They simply need to share the same domain.
If I were to create my own CA and self-sign the certificates, both of your approaches might certainly be possible. However, the wildcard certificate I am using is signed by a major Internet CA and is regcognized by all browsers without having to install a new root certificate, which in our captive portal deployment is very important. We don’t want users receiving certificate warnings or having to install new root certs…