Wildcard in subjectAltName/dNSName
Zhong Yu
zhong.j.yu at gmail.com
Tue Sep 2 23:39:21 UTC 2014
The following command would fail, rejecting the wildcard in dNSName
keytool -genkeypair -ext SAN=DNS:*.example.com .....
keytool error: java.lang.RuntimeException: java.io.IOException:
DNSName components must begin with a letter
RFC5280 $4.2.1.6. contains a paragraph vaguely talking about wildcards
Finally, the semantics of subject alternative names that include
wildcard characters (e.g., as a placeholder for a set of names) are
not addressed by this specification. Applications with specific
requirements MAY use such names, but they must define the semantics.
And in practice, CAs, browsers, servers all seems to support wildcards
in dNSName.
Thoughts?
Zhong Yu
bayou.io
More information about the security-dev
mailing list