Should the Subject Alternative Names of the CSR include the wildcard domain (e.g. *.test.com)? Currently CN=*test.com is enough for the order to finalize but including *.test.com in the SAN list results in an error from the API (CSR contains domains not in Order).
Technically it does contain the DNS identifier because the wildcard domain is included as subject name. Maybe the SAN list should include test.com if the subject name is *.test.com (but SAN list should not contain *.test.com?)
The CSR MUST indicate the exact same
set of requested identifiers as the initial new-order request, either
in the commonName portion of the requested subject name, or in an
extensionRequest attribute [RFC2985] requesting a subjectAltName
extension
I was adding the dns identifiers that we get back from authorization into the SAN list, turns out they get stripped of the *. prefix so I was actually just adding test.com instead of *.test.com (which caused the error), what confused me was that it worked fine when I left the SAN list blank and just set the subject name.