• WildcardCertificates

About Wildcard Certificates

You'll probably know that certificates containing the wildcard character "*" in the CN of a server are called wildcard certificates.

• RFC 2818 "HTTP Over TLS" states the following:

  • Matching is performed using the matching rules specified by RFC 2459. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.

On the other hand there is RFC 2595 "Using TLS with IMAP, POP3 and ACAP" which states:

• A "*" wildcard character MAY be used as the left-most name component in the certificate. For example, *.example.com would match a.example.com, foo.example.com, etc. but would not match example.com.

RFC 2459 explicitly does not address wildcards in host/domain name matching.

So it seems that there are different specifications for different protocols...

ToDo: Have a closer look at RFC 3280 and RFC 5280

IIS bug

The encoding of the certificate request created by IIS that contains a wildcard will result in the following error:

The following hostnames were rejected because the system couldn't link them to your account, if they are valid please verify the domains against your account.

Solution

You can use OpenSSL to create a certificate request for a common name that contains a wildcard and import this certificate for use in IIS.

Interoperability study

Since Mozilla does not match the names according to RFC 2818 there may be other products that do not.

Please add your own browser/tool/library/application here.

OpenSSL

The OpenSSL library does not contain code to check the server's name in the certificate, so it's up to the application wether to accept wildcards or not.

Internet Explorer

Internet Explorer 6.0.2800.1106: * does not match subdomains

Mozilla & Co

SeaMonkey 1.0.5 on Linux&Windows: * matches subdomains.

Firefox

• 1.5.0.7/Windows: matches subdomains, the hostname that was entered (NOT the certificate's CN, which I'd consider a bug) is displayed in the statusline. This is filed as a bug in https://bugzilla.mozilla.org/show_bug.cgi?id=159483 so it may be fixed in a new release. But since the bug was opened in 2002 we may probably have to live with it for some more time...

• 3.0.0b5/Ubuntu: matches subdomains.

Konqueror

• Konqueror 3.5.1: does not match subdomains.
• Konqueror 3.5.4-0.5.fc5: matches subdomains (use the lock on the iconbar to inspect the KDE SSL information).
• Konqueror 3.5.9: matches subdomains.

Fixed in SVN in November 2005: http://bugs.kde.org/show_bug.cgi?id=106476

Opera

• Opera 9.00: does seem to match subdomains.
• Opera 9.27: matches subdomains

Safari

• 3.1 (5525.13): matches subdomains

Lynx

• Lynx 2.6.8rel.1 on FreeBSD: Does not match wildcards at all
• Lynx 2.8.6rel.4 on Linux: matches subdomains
  • This was on Ubuntu 7.10 (GnuTLS 1.6.3, SSL-MM 1.4.1)

Subversion

• 1.4.4 (r25188): matches subdomains

• CategoryCustom