Wildcard in subjectAltName/dNSName

Zhong Yu zhong.j.yu at gmail.com
Tue Sep 2 23:39:21 UTC 2014


The following command would fail, rejecting the wildcard in dNSName

    keytool -genkeypair -ext SAN=DNS:*.example.com .....

    keytool error: java.lang.RuntimeException: java.io.IOException:
DNSName components must begin with a letter

RFC5280 $4.2.1.6. contains a paragraph vaguely talking about wildcards

   Finally, the semantics of subject alternative names that include
   wildcard characters (e.g., as a placeholder for a set of names) are
   not addressed by this specification.  Applications with specific
   requirements MAY use such names, but they must define the semantics.

And in practice, CAs, browsers, servers all seems to support wildcards
in dNSName.

Thoughts?

Zhong Yu
bayou.io


More information about the security-dev mailing list