Self-signed wildcard certificate










14















I've got pihole set up at home, so I want to be able to handle requests for any website with my own server, to show a "this site has been blocked" page.



I'm attempting to do this by creating a self-signed certificate for any url and installing this on my device. The commands I used to generate the certificate:



openssl genrsa 2048 > pihole.key
openssl req -new -x509 -nodes -days 36500
-key pihole.key
-subj "/C=NL/ST=Utrecht, Inc./CN=*"
-reqexts SAN
-config <(cat /etc/ssl/openssl.cnf
<(printf "n[SAN]nsubjectAltName=DNS:*,DNS:*"))
-out pihole.cert
openssl x509 -noout -fingerprint -text < pihole.cert > pihole.info
cat pihole.cert pihole.info > pihole.pem
service apache2 reload


I've installed this certificate on my windows device, and windows shows that it's a valid certificate.



However, chrome gives me a NET::ERR_CERT_COMMON_NAME_INVALID, and edge gives me a similar error (DLG_FLAGS_SEC_CERT_CN_INVALID)



Why is this? Is CN = * just not allowed? How could I achieve what I want?










share|improve this question
























  • As a side note: For major websites your browser will probably not accept any certificate you manage to generate. Those sites use certificate-pinning and submit fingerprints of their TLS certs for inclusion in those browsers. Your cert won't match the stored fingerprint and will be blocked. Here's more info: noncombatant.org/2015/05/01/about-http-public-key-pinning

    – Martijn Heemels
    Nov 13 '18 at 12:44











  • self signed certs can be problematic as you have discovered. You could instead look at getting a "proper" certification from letsencrypt.org - they are free and support wildcards. Depending on how many of the hosts you were trying to cover with that * you actually need, one (or more) certs from letsencrypt could cover you

    – Dave Smylie
    Nov 13 '18 at 22:30






  • 1





    @DaveSmylie it's for an adblocker, I don't own the domains.

    – Daniël van den Berg
    Nov 14 '18 at 5:53











  • letsencrypt.org will give you signed certs for free

    – Stewart
    Nov 14 '18 at 10:43






  • 1





    Also of note: if you're using this for an adblocker, it might be better to just silently drop the connections to relevant servers instead of showing an alternative page. 90% of modern ads are initially loaded through JavaScript, so it's unlikely your alternative page is going to have any real visibility on the page. It's probably going to break stuff, actually, trying to load non-JavaScript resources as Javascript.

    – Nzall
    Nov 14 '18 at 14:13
















14















I've got pihole set up at home, so I want to be able to handle requests for any website with my own server, to show a "this site has been blocked" page.



I'm attempting to do this by creating a self-signed certificate for any url and installing this on my device. The commands I used to generate the certificate:



openssl genrsa 2048 > pihole.key
openssl req -new -x509 -nodes -days 36500
-key pihole.key
-subj "/C=NL/ST=Utrecht, Inc./CN=*"
-reqexts SAN
-config <(cat /etc/ssl/openssl.cnf
<(printf "n[SAN]nsubjectAltName=DNS:*,DNS:*"))
-out pihole.cert
openssl x509 -noout -fingerprint -text < pihole.cert > pihole.info
cat pihole.cert pihole.info > pihole.pem
service apache2 reload


I've installed this certificate on my windows device, and windows shows that it's a valid certificate.



However, chrome gives me a NET::ERR_CERT_COMMON_NAME_INVALID, and edge gives me a similar error (DLG_FLAGS_SEC_CERT_CN_INVALID)



Why is this? Is CN = * just not allowed? How could I achieve what I want?










share|improve this question
























  • As a side note: For major websites your browser will probably not accept any certificate you manage to generate. Those sites use certificate-pinning and submit fingerprints of their TLS certs for inclusion in those browsers. Your cert won't match the stored fingerprint and will be blocked. Here's more info: noncombatant.org/2015/05/01/about-http-public-key-pinning

    – Martijn Heemels
    Nov 13 '18 at 12:44











  • self signed certs can be problematic as you have discovered. You could instead look at getting a "proper" certification from letsencrypt.org - they are free and support wildcards. Depending on how many of the hosts you were trying to cover with that * you actually need, one (or more) certs from letsencrypt could cover you

    – Dave Smylie
    Nov 13 '18 at 22:30






  • 1





    @DaveSmylie it's for an adblocker, I don't own the domains.

    – Daniël van den Berg
    Nov 14 '18 at 5:53











  • letsencrypt.org will give you signed certs for free

    – Stewart
    Nov 14 '18 at 10:43






  • 1





    Also of note: if you're using this for an adblocker, it might be better to just silently drop the connections to relevant servers instead of showing an alternative page. 90% of modern ads are initially loaded through JavaScript, so it's unlikely your alternative page is going to have any real visibility on the page. It's probably going to break stuff, actually, trying to load non-JavaScript resources as Javascript.

    – Nzall
    Nov 14 '18 at 14:13














14












14








14


3






I've got pihole set up at home, so I want to be able to handle requests for any website with my own server, to show a "this site has been blocked" page.



I'm attempting to do this by creating a self-signed certificate for any url and installing this on my device. The commands I used to generate the certificate:



openssl genrsa 2048 > pihole.key
openssl req -new -x509 -nodes -days 36500
-key pihole.key
-subj "/C=NL/ST=Utrecht, Inc./CN=*"
-reqexts SAN
-config <(cat /etc/ssl/openssl.cnf
<(printf "n[SAN]nsubjectAltName=DNS:*,DNS:*"))
-out pihole.cert
openssl x509 -noout -fingerprint -text < pihole.cert > pihole.info
cat pihole.cert pihole.info > pihole.pem
service apache2 reload


I've installed this certificate on my windows device, and windows shows that it's a valid certificate.



However, chrome gives me a NET::ERR_CERT_COMMON_NAME_INVALID, and edge gives me a similar error (DLG_FLAGS_SEC_CERT_CN_INVALID)



Why is this? Is CN = * just not allowed? How could I achieve what I want?










share|improve this question
















I've got pihole set up at home, so I want to be able to handle requests for any website with my own server, to show a "this site has been blocked" page.



I'm attempting to do this by creating a self-signed certificate for any url and installing this on my device. The commands I used to generate the certificate:



openssl genrsa 2048 > pihole.key
openssl req -new -x509 -nodes -days 36500
-key pihole.key
-subj "/C=NL/ST=Utrecht, Inc./CN=*"
-reqexts SAN
-config <(cat /etc/ssl/openssl.cnf
<(printf "n[SAN]nsubjectAltName=DNS:*,DNS:*"))
-out pihole.cert
openssl x509 -noout -fingerprint -text < pihole.cert > pihole.info
cat pihole.cert pihole.info > pihole.pem
service apache2 reload


I've installed this certificate on my windows device, and windows shows that it's a valid certificate.



However, chrome gives me a NET::ERR_CERT_COMMON_NAME_INVALID, and edge gives me a similar error (DLG_FLAGS_SEC_CERT_CN_INVALID)



Why is this? Is CN = * just not allowed? How could I achieve what I want?







ssl certificate






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Nov 13 '18 at 9:08









Máté Juhász

14.7k63452




14.7k63452










asked Nov 13 '18 at 8:47









Daniël van den BergDaniël van den Berg

250213




250213












  • As a side note: For major websites your browser will probably not accept any certificate you manage to generate. Those sites use certificate-pinning and submit fingerprints of their TLS certs for inclusion in those browsers. Your cert won't match the stored fingerprint and will be blocked. Here's more info: noncombatant.org/2015/05/01/about-http-public-key-pinning

    – Martijn Heemels
    Nov 13 '18 at 12:44











  • self signed certs can be problematic as you have discovered. You could instead look at getting a "proper" certification from letsencrypt.org - they are free and support wildcards. Depending on how many of the hosts you were trying to cover with that * you actually need, one (or more) certs from letsencrypt could cover you

    – Dave Smylie
    Nov 13 '18 at 22:30






  • 1





    @DaveSmylie it's for an adblocker, I don't own the domains.

    – Daniël van den Berg
    Nov 14 '18 at 5:53











  • letsencrypt.org will give you signed certs for free

    – Stewart
    Nov 14 '18 at 10:43






  • 1





    Also of note: if you're using this for an adblocker, it might be better to just silently drop the connections to relevant servers instead of showing an alternative page. 90% of modern ads are initially loaded through JavaScript, so it's unlikely your alternative page is going to have any real visibility on the page. It's probably going to break stuff, actually, trying to load non-JavaScript resources as Javascript.

    – Nzall
    Nov 14 '18 at 14:13


















  • As a side note: For major websites your browser will probably not accept any certificate you manage to generate. Those sites use certificate-pinning and submit fingerprints of their TLS certs for inclusion in those browsers. Your cert won't match the stored fingerprint and will be blocked. Here's more info: noncombatant.org/2015/05/01/about-http-public-key-pinning

    – Martijn Heemels
    Nov 13 '18 at 12:44











  • self signed certs can be problematic as you have discovered. You could instead look at getting a "proper" certification from letsencrypt.org - they are free and support wildcards. Depending on how many of the hosts you were trying to cover with that * you actually need, one (or more) certs from letsencrypt could cover you

    – Dave Smylie
    Nov 13 '18 at 22:30






  • 1





    @DaveSmylie it's for an adblocker, I don't own the domains.

    – Daniël van den Berg
    Nov 14 '18 at 5:53











  • letsencrypt.org will give you signed certs for free

    – Stewart
    Nov 14 '18 at 10:43






  • 1





    Also of note: if you're using this for an adblocker, it might be better to just silently drop the connections to relevant servers instead of showing an alternative page. 90% of modern ads are initially loaded through JavaScript, so it's unlikely your alternative page is going to have any real visibility on the page. It's probably going to break stuff, actually, trying to load non-JavaScript resources as Javascript.

    – Nzall
    Nov 14 '18 at 14:13

















As a side note: For major websites your browser will probably not accept any certificate you manage to generate. Those sites use certificate-pinning and submit fingerprints of their TLS certs for inclusion in those browsers. Your cert won't match the stored fingerprint and will be blocked. Here's more info: noncombatant.org/2015/05/01/about-http-public-key-pinning

– Martijn Heemels
Nov 13 '18 at 12:44





As a side note: For major websites your browser will probably not accept any certificate you manage to generate. Those sites use certificate-pinning and submit fingerprints of their TLS certs for inclusion in those browsers. Your cert won't match the stored fingerprint and will be blocked. Here's more info: noncombatant.org/2015/05/01/about-http-public-key-pinning

– Martijn Heemels
Nov 13 '18 at 12:44













self signed certs can be problematic as you have discovered. You could instead look at getting a "proper" certification from letsencrypt.org - they are free and support wildcards. Depending on how many of the hosts you were trying to cover with that * you actually need, one (or more) certs from letsencrypt could cover you

– Dave Smylie
Nov 13 '18 at 22:30





self signed certs can be problematic as you have discovered. You could instead look at getting a "proper" certification from letsencrypt.org - they are free and support wildcards. Depending on how many of the hosts you were trying to cover with that * you actually need, one (or more) certs from letsencrypt could cover you

– Dave Smylie
Nov 13 '18 at 22:30




1




1





@DaveSmylie it's for an adblocker, I don't own the domains.

– Daniël van den Berg
Nov 14 '18 at 5:53





@DaveSmylie it's for an adblocker, I don't own the domains.

– Daniël van den Berg
Nov 14 '18 at 5:53













letsencrypt.org will give you signed certs for free

– Stewart
Nov 14 '18 at 10:43





letsencrypt.org will give you signed certs for free

– Stewart
Nov 14 '18 at 10:43




1




1





Also of note: if you're using this for an adblocker, it might be better to just silently drop the connections to relevant servers instead of showing an alternative page. 90% of modern ads are initially loaded through JavaScript, so it's unlikely your alternative page is going to have any real visibility on the page. It's probably going to break stuff, actually, trying to load non-JavaScript resources as Javascript.

– Nzall
Nov 14 '18 at 14:13






Also of note: if you're using this for an adblocker, it might be better to just silently drop the connections to relevant servers instead of showing an alternative page. 90% of modern ads are initially loaded through JavaScript, so it's unlikely your alternative page is going to have any real visibility on the page. It's probably going to break stuff, actually, trying to load non-JavaScript resources as Javascript.

– Nzall
Nov 14 '18 at 14:13











2 Answers
2






active

oldest

votes


















35














It is not allowed. As a protocol-specific addition to the standard TLS hostname validation, all major web browsers (HTTPS clients) have basically agreed to restrict wildcard certificates to "eTLD+1" – that is, there must be an "effective TLD" plus one more non-wildcard component.



Generally this translates to requiring at least two components (*.example.net is okay but *.net is not, neither is a bare *). The "effective TLD" rule expands this to multi-level suffixes as co.uk that people use as indivisible "TLDs" in practice. (So *.example.ac.uk is allowed but *.ac.uk is not.)



You can inspect how the public suffix list is implemented in Chromium and in Mozilla.



See related discussion in Security.SE which has a quote from the CA-Browser Forum Baseline Requirements (which only apply to public WebPKI CAs, but still reflect the general implementation anyway):




CAs SHALL revoke any certificate where wildcard character occurs in the first label position immediately to the left of a “registry‐controlled” label or “public suffix”.





To avoid this restriction, build a certificate authority that issues certificates "on demand" for whatever website you try to visit. I don't know how that would be implemented in any regular web server, but this is a common method used by commercial TLS interception systems; antivirus programs and other malware; and development tools such as the Burp Proxy suite.



For example, the OpenResty web server (basically Nginx-with-Lua) has a ssl_certificate_by_lua option to implement dynamic certificate generation. The Squid proxy supports certificate mimicking in its ssl-bump feature.



Also note that SANs completely override the Subject-CN if both are present. This makes including the CN mostly redundant (unless your client software is so ancient it lacks SAN support), and for public CAs web browsers don't even accept it anymore.






share|improve this answer

























  • I already found about that TLD+1 limit empirically here in a project earlier on. Thanks for laying it out. +1

    – Rui F Ribeiro
    Nov 13 '18 at 12:32











  • Thanks for your elaborate answer, I guess that explains it yeah. Do you happen to know a different approach that I could use?

    – Daniël van den Berg
    Nov 13 '18 at 13:08






  • 21





    Upvoted for strategic placement of "and other malware".

    – Džuris
    Nov 13 '18 at 16:12











  • @DaniëlvandenBerg: I happen to have suggested one in the post itself. I've just added links to Nginx and Squid examples.

    – grawity
    Nov 14 '18 at 9:05


















4














There can only be a single wildcard in a certificate (i.e. no *.*.example.com), it can match only a single label (i.e. only www, not www.example.com), it can only be on the leftmost position (i.e. *.www.example.com but not www.*.example.com) and it cannot be inside the public suffix (i.e. no *.com).






share|improve this answer






















    Your Answer








    StackExchange.ready(function()
    var channelOptions =
    tags: "".split(" "),
    id: "3"
    ;
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function()
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled)
    StackExchange.using("snippets", function()
    createEditor();
    );

    else
    createEditor();

    );

    function createEditor()
    StackExchange.prepareEditor(
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader:
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    ,
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    );



    );













    draft saved

    draft discarded


















    StackExchange.ready(
    function ()
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1374959%2fself-signed-wildcard-certificate%23new-answer', 'question_page');

    );

    Post as a guest















    Required, but never shown

























    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    35














    It is not allowed. As a protocol-specific addition to the standard TLS hostname validation, all major web browsers (HTTPS clients) have basically agreed to restrict wildcard certificates to "eTLD+1" – that is, there must be an "effective TLD" plus one more non-wildcard component.



    Generally this translates to requiring at least two components (*.example.net is okay but *.net is not, neither is a bare *). The "effective TLD" rule expands this to multi-level suffixes as co.uk that people use as indivisible "TLDs" in practice. (So *.example.ac.uk is allowed but *.ac.uk is not.)



    You can inspect how the public suffix list is implemented in Chromium and in Mozilla.



    See related discussion in Security.SE which has a quote from the CA-Browser Forum Baseline Requirements (which only apply to public WebPKI CAs, but still reflect the general implementation anyway):




    CAs SHALL revoke any certificate where wildcard character occurs in the first label position immediately to the left of a “registry‐controlled” label or “public suffix”.





    To avoid this restriction, build a certificate authority that issues certificates "on demand" for whatever website you try to visit. I don't know how that would be implemented in any regular web server, but this is a common method used by commercial TLS interception systems; antivirus programs and other malware; and development tools such as the Burp Proxy suite.



    For example, the OpenResty web server (basically Nginx-with-Lua) has a ssl_certificate_by_lua option to implement dynamic certificate generation. The Squid proxy supports certificate mimicking in its ssl-bump feature.



    Also note that SANs completely override the Subject-CN if both are present. This makes including the CN mostly redundant (unless your client software is so ancient it lacks SAN support), and for public CAs web browsers don't even accept it anymore.






    share|improve this answer

























    • I already found about that TLD+1 limit empirically here in a project earlier on. Thanks for laying it out. +1

      – Rui F Ribeiro
      Nov 13 '18 at 12:32











    • Thanks for your elaborate answer, I guess that explains it yeah. Do you happen to know a different approach that I could use?

      – Daniël van den Berg
      Nov 13 '18 at 13:08






    • 21





      Upvoted for strategic placement of "and other malware".

      – Džuris
      Nov 13 '18 at 16:12











    • @DaniëlvandenBerg: I happen to have suggested one in the post itself. I've just added links to Nginx and Squid examples.

      – grawity
      Nov 14 '18 at 9:05















    35














    It is not allowed. As a protocol-specific addition to the standard TLS hostname validation, all major web browsers (HTTPS clients) have basically agreed to restrict wildcard certificates to "eTLD+1" – that is, there must be an "effective TLD" plus one more non-wildcard component.



    Generally this translates to requiring at least two components (*.example.net is okay but *.net is not, neither is a bare *). The "effective TLD" rule expands this to multi-level suffixes as co.uk that people use as indivisible "TLDs" in practice. (So *.example.ac.uk is allowed but *.ac.uk is not.)



    You can inspect how the public suffix list is implemented in Chromium and in Mozilla.



    See related discussion in Security.SE which has a quote from the CA-Browser Forum Baseline Requirements (which only apply to public WebPKI CAs, but still reflect the general implementation anyway):




    CAs SHALL revoke any certificate where wildcard character occurs in the first label position immediately to the left of a “registry‐controlled” label or “public suffix”.





    To avoid this restriction, build a certificate authority that issues certificates "on demand" for whatever website you try to visit. I don't know how that would be implemented in any regular web server, but this is a common method used by commercial TLS interception systems; antivirus programs and other malware; and development tools such as the Burp Proxy suite.



    For example, the OpenResty web server (basically Nginx-with-Lua) has a ssl_certificate_by_lua option to implement dynamic certificate generation. The Squid proxy supports certificate mimicking in its ssl-bump feature.



    Also note that SANs completely override the Subject-CN if both are present. This makes including the CN mostly redundant (unless your client software is so ancient it lacks SAN support), and for public CAs web browsers don't even accept it anymore.






    share|improve this answer

























    • I already found about that TLD+1 limit empirically here in a project earlier on. Thanks for laying it out. +1

      – Rui F Ribeiro
      Nov 13 '18 at 12:32











    • Thanks for your elaborate answer, I guess that explains it yeah. Do you happen to know a different approach that I could use?

      – Daniël van den Berg
      Nov 13 '18 at 13:08






    • 21





      Upvoted for strategic placement of "and other malware".

      – Džuris
      Nov 13 '18 at 16:12











    • @DaniëlvandenBerg: I happen to have suggested one in the post itself. I've just added links to Nginx and Squid examples.

      – grawity
      Nov 14 '18 at 9:05













    35












    35








    35







    It is not allowed. As a protocol-specific addition to the standard TLS hostname validation, all major web browsers (HTTPS clients) have basically agreed to restrict wildcard certificates to "eTLD+1" – that is, there must be an "effective TLD" plus one more non-wildcard component.



    Generally this translates to requiring at least two components (*.example.net is okay but *.net is not, neither is a bare *). The "effective TLD" rule expands this to multi-level suffixes as co.uk that people use as indivisible "TLDs" in practice. (So *.example.ac.uk is allowed but *.ac.uk is not.)



    You can inspect how the public suffix list is implemented in Chromium and in Mozilla.



    See related discussion in Security.SE which has a quote from the CA-Browser Forum Baseline Requirements (which only apply to public WebPKI CAs, but still reflect the general implementation anyway):




    CAs SHALL revoke any certificate where wildcard character occurs in the first label position immediately to the left of a “registry‐controlled” label or “public suffix”.





    To avoid this restriction, build a certificate authority that issues certificates "on demand" for whatever website you try to visit. I don't know how that would be implemented in any regular web server, but this is a common method used by commercial TLS interception systems; antivirus programs and other malware; and development tools such as the Burp Proxy suite.



    For example, the OpenResty web server (basically Nginx-with-Lua) has a ssl_certificate_by_lua option to implement dynamic certificate generation. The Squid proxy supports certificate mimicking in its ssl-bump feature.



    Also note that SANs completely override the Subject-CN if both are present. This makes including the CN mostly redundant (unless your client software is so ancient it lacks SAN support), and for public CAs web browsers don't even accept it anymore.






    share|improve this answer















    It is not allowed. As a protocol-specific addition to the standard TLS hostname validation, all major web browsers (HTTPS clients) have basically agreed to restrict wildcard certificates to "eTLD+1" – that is, there must be an "effective TLD" plus one more non-wildcard component.



    Generally this translates to requiring at least two components (*.example.net is okay but *.net is not, neither is a bare *). The "effective TLD" rule expands this to multi-level suffixes as co.uk that people use as indivisible "TLDs" in practice. (So *.example.ac.uk is allowed but *.ac.uk is not.)



    You can inspect how the public suffix list is implemented in Chromium and in Mozilla.



    See related discussion in Security.SE which has a quote from the CA-Browser Forum Baseline Requirements (which only apply to public WebPKI CAs, but still reflect the general implementation anyway):




    CAs SHALL revoke any certificate where wildcard character occurs in the first label position immediately to the left of a “registry‐controlled” label or “public suffix”.





    To avoid this restriction, build a certificate authority that issues certificates "on demand" for whatever website you try to visit. I don't know how that would be implemented in any regular web server, but this is a common method used by commercial TLS interception systems; antivirus programs and other malware; and development tools such as the Burp Proxy suite.



    For example, the OpenResty web server (basically Nginx-with-Lua) has a ssl_certificate_by_lua option to implement dynamic certificate generation. The Squid proxy supports certificate mimicking in its ssl-bump feature.



    Also note that SANs completely override the Subject-CN if both are present. This makes including the CN mostly redundant (unless your client software is so ancient it lacks SAN support), and for public CAs web browsers don't even accept it anymore.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Nov 14 '18 at 9:03

























    answered Nov 13 '18 at 9:01









    grawitygrawity

    241k37510566




    241k37510566












    • I already found about that TLD+1 limit empirically here in a project earlier on. Thanks for laying it out. +1

      – Rui F Ribeiro
      Nov 13 '18 at 12:32











    • Thanks for your elaborate answer, I guess that explains it yeah. Do you happen to know a different approach that I could use?

      – Daniël van den Berg
      Nov 13 '18 at 13:08






    • 21





      Upvoted for strategic placement of "and other malware".

      – Džuris
      Nov 13 '18 at 16:12











    • @DaniëlvandenBerg: I happen to have suggested one in the post itself. I've just added links to Nginx and Squid examples.

      – grawity
      Nov 14 '18 at 9:05

















    • I already found about that TLD+1 limit empirically here in a project earlier on. Thanks for laying it out. +1

      – Rui F Ribeiro
      Nov 13 '18 at 12:32











    • Thanks for your elaborate answer, I guess that explains it yeah. Do you happen to know a different approach that I could use?

      – Daniël van den Berg
      Nov 13 '18 at 13:08






    • 21





      Upvoted for strategic placement of "and other malware".

      – Džuris
      Nov 13 '18 at 16:12











    • @DaniëlvandenBerg: I happen to have suggested one in the post itself. I've just added links to Nginx and Squid examples.

      – grawity
      Nov 14 '18 at 9:05
















    I already found about that TLD+1 limit empirically here in a project earlier on. Thanks for laying it out. +1

    – Rui F Ribeiro
    Nov 13 '18 at 12:32





    I already found about that TLD+1 limit empirically here in a project earlier on. Thanks for laying it out. +1

    – Rui F Ribeiro
    Nov 13 '18 at 12:32













    Thanks for your elaborate answer, I guess that explains it yeah. Do you happen to know a different approach that I could use?

    – Daniël van den Berg
    Nov 13 '18 at 13:08





    Thanks for your elaborate answer, I guess that explains it yeah. Do you happen to know a different approach that I could use?

    – Daniël van den Berg
    Nov 13 '18 at 13:08




    21




    21





    Upvoted for strategic placement of "and other malware".

    – Džuris
    Nov 13 '18 at 16:12





    Upvoted for strategic placement of "and other malware".

    – Džuris
    Nov 13 '18 at 16:12













    @DaniëlvandenBerg: I happen to have suggested one in the post itself. I've just added links to Nginx and Squid examples.

    – grawity
    Nov 14 '18 at 9:05





    @DaniëlvandenBerg: I happen to have suggested one in the post itself. I've just added links to Nginx and Squid examples.

    – grawity
    Nov 14 '18 at 9:05













    4














    There can only be a single wildcard in a certificate (i.e. no *.*.example.com), it can match only a single label (i.e. only www, not www.example.com), it can only be on the leftmost position (i.e. *.www.example.com but not www.*.example.com) and it cannot be inside the public suffix (i.e. no *.com).






    share|improve this answer



























      4














      There can only be a single wildcard in a certificate (i.e. no *.*.example.com), it can match only a single label (i.e. only www, not www.example.com), it can only be on the leftmost position (i.e. *.www.example.com but not www.*.example.com) and it cannot be inside the public suffix (i.e. no *.com).






      share|improve this answer

























        4












        4








        4







        There can only be a single wildcard in a certificate (i.e. no *.*.example.com), it can match only a single label (i.e. only www, not www.example.com), it can only be on the leftmost position (i.e. *.www.example.com but not www.*.example.com) and it cannot be inside the public suffix (i.e. no *.com).






        share|improve this answer













        There can only be a single wildcard in a certificate (i.e. no *.*.example.com), it can match only a single label (i.e. only www, not www.example.com), it can only be on the leftmost position (i.e. *.www.example.com but not www.*.example.com) and it cannot be inside the public suffix (i.e. no *.com).







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Nov 13 '18 at 9:01









        Steffen UllrichSteffen Ullrich

        3,128714




        3,128714



























            draft saved

            draft discarded
















































            Thanks for contributing an answer to Super User!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid


            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.

            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function ()
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1374959%2fself-signed-wildcard-certificate%23new-answer', 'question_page');

            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            Popular posts from this blog

            𛂒𛀶,𛀽𛀑𛂀𛃧𛂓𛀙𛃆𛃑𛃷𛂟𛁡𛀢𛀟𛁤𛂽𛁕𛁪𛂟𛂯,𛁞𛂧𛀴𛁄𛁠𛁼𛂿𛀤 𛂘,𛁺𛂾𛃭𛃭𛃵𛀺,𛂣𛃍𛂖𛃶 𛀸𛃀𛂖𛁶𛁏𛁚 𛂢𛂞 𛁰𛂆𛀔,𛁸𛀽𛁓𛃋𛂇𛃧𛀧𛃣𛂐𛃇,𛂂𛃻𛃲𛁬𛃞𛀧𛃃𛀅 𛂭𛁠𛁡𛃇𛀷𛃓𛁥,𛁙𛁘𛁞𛃸𛁸𛃣𛁜,𛂛,𛃿,𛁯𛂘𛂌𛃛𛁱𛃌𛂈𛂇 𛁊𛃲,𛀕𛃴𛀜 𛀶𛂆𛀶𛃟𛂉𛀣,𛂐𛁞𛁾 𛁷𛂑𛁳𛂯𛀬𛃅,𛃶𛁼

            Crossroads (UK TV series)

            ữḛḳṊẴ ẋ,Ẩṙ,ỹḛẪẠứụỿṞṦ,Ṉẍừ,ứ Ị,Ḵ,ṏ ṇỪḎḰṰọửḊ ṾḨḮữẑỶṑỗḮṣṉẃ Ữẩụ,ṓ,ḹẕḪḫỞṿḭ ỒṱṨẁṋṜ ḅẈ ṉ ứṀḱṑỒḵ,ḏ,ḊḖỹẊ Ẻḷổ,ṥ ẔḲẪụḣể Ṱ ḭỏựẶ Ồ Ṩ,ẂḿṡḾồ ỗṗṡịṞẤḵṽẃ ṸḒẄẘ,ủẞẵṦṟầṓế