Non-TLD wildcard in SAN for self-signed ssl cert

2
votes

I followed the excellent write up how-do-you-sign-certificate-signing-request-with-your-certification-authority to create my own self-signed cert. I set the SAN for *.pro and *.pro.example.com

If I hit the web02.pro.example.com all works fine.

When I hit web02.pro it doesn't work:

curl --cacert cacert.pem https://web02.pro/version.html
curl: (51) SSL: no alternative certificate subject name matches target host name 'web02.pro'

web02.pro and web02.pro.example.com both resolve to the same machine, and that machine is set up to answer to both names.

The cert I generated shows:

        X509v3 Subject Alternative Name:   
            DNS:*.pro, DNS:*.pro.example.com

Is there anything limit to using a not read TLD for a self-signed cert?

1
sslopenssl

1 Answers

2
votes

Many clients not only check that the hostname against all names in the certificate, but also only allow wildcards which are not too permissive. This means that wildcards like *.pro.example.com or *.example.com are considered valid while wildcards which only specify the top-level domain like *.pro are considered invalid and will not be included in the validation process.

This reason for this is that below a top-level domain you will usually find lots of domains with different owners. A wildcard certificate for *.pro would thus include domains from different owners which should better not be possible.