On 07/17/2017 09:27 AM, Fraser Tweedale wrote:
https://tools.ietf.org/html/rfc6125#section-7.2
This document states that the wildcard character '*' SHOULD NOT
be included in presented identifiers but MAY be checked by
application clients (mainly for the sake of backward
compatibility with deployed infrastructure).
Furthermore, note that wildcards in dNSName values (SAN), although
supported by most clients, are technically a violation of RFC 5280.
The deprecation (and now, actual removal in clients) of CN-based
validation poses another challenge in this regard.
Some years ago it seemed impossible that CN-based hostname
validation, despite being officialy deprecated in RFC 2818 and the
deprecation affirmed by RFC 6125, would ever happen. But it has
happened. The thing is... "all the clients still support it"...
until they don't anymore!
Okay, I'm aware of the reasoning, and the
implications of having
wildcards in the SAN, but I'm still not seeing like a drop/removal
deadline date for this. We handle several hundred certs for our clients,
some of which are wildcards, and it would be nice to know when this will
become a serious issue long before it bites us in the butt.
(Yeah, I know it's a ginormously stupid question, but I typically don't
muck with wildcard certs, so this isn't something I have had to deal with.)
--
Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
mark.haney(a)neonova.net
www.neonova.net