a.com does not match b.a.com
Only if the certificate is *.a.com does it match b.a.com
b.a.com can have its own certificate.