Allow multiple level wildcard certificates

Hi there,

as many already noticed in this forum, a wildcard certificate for *.example.com validates www.example.com and correctly fails to validate www.subdomain.example.com. Such subdomain requires its own wildcard, such as *.subdomain.example.com.

Unfortunately in my current setup the subdomain part is dynamically generated, so it would be really useful being able to add wildcards in the form of www.*.example.com, or even *.*.example.com.

To my understanding of RFC 2818, this should be possible. Here the relevant quote (section "3.1. Server Identity"):

Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., .a.com matches foo.a.com but not bar.foo.a.com. f.com matches foo.com but not bar.com.

Thanks,

Nicholas

Hi @lordgordon,

Unfortunately RFC 2818 is not relevant to today's internet - that's a dinosaur of an RFC that has long been supplanted by others. The particulars of the Web PKI are primarily specified in RFC 5280, and it washes its hands of how wildcards should be handled:

Finally, the semantics of subject alternative names that include wildcard characters (e.g., as a placeholder for a set of names) are not addressed by this specification. Applications with specific requirements MAY use such names, but they must define the semantics.

In practice this means the semantics of matching a wildcard subject name are entirely imposed by web browsers and TLS clients, and that community has landed on allowing only one wildcard character as only the entire leftmost domain label.

Let's Encrypt's wildcard certificates are handled identically to all other CAs by the browser vendors and we can not implement your feature request from our side. It would have to be adopted by all possible client software.

Edit: We would also have to contend with the CA Browser Forum's Baseline requirements. Presently they define a "wildcard domain" as:

"A Domain Name consisting of a single asterisk character followed by a single full stop character (“*.”) followed by a Fully-Qualified Domain Name.",

Allowing multiple wildcard labels would likely run afoul of the baseline requirements.

Hope that helps explain things!

2 Likes

Hi @cpu,

thank you very much for your exhaustive explanation.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.