ACME/WildCardCertificate/6125について、ここに記述してください。

6.4.3.  Checking of Wildcard Certificates
{{{
   A client employing this specification's rules MAY match the reference
   identifier against a presented identifier whose DNS domain name
   portion contains the wildcard character '*' as part or all of a label
   (following the description of labels and domain names in [DNS-CONCEPTS]).

   For information regarding the security characteristics of wildcard
   certificates, see Section 7.2.
}}}
'*'はラベルの一部として、または全部として現れてよい。(不必要な言及)

{{{
   If a client matches the reference identifier against a presented
   identifier whose DNS domain name portion contains the wildcard
   character '*', the following rules apply:
}}}

{{{
   1.  The client SHOULD NOT attempt to match a presented identifier in
       which the wildcard character comprises a label other than the
       left-most label (e.g., do not match bar.*.example.net).
}}}
最左端つまり最初のラベルだけに使ってもよい。

{{{
   2.  If the wildcard character is the only character of the left-most
       label in the presented identifier, the client SHOULD NOT compare
       against anything but the left-most label of the reference
       identifier (e.g., *.example.com would match foo.example.com but
       not bar.foo.example.com or example.com).
}}}
'*'が単独のラベルとして使われた場合には、最左端のラベルのラベルだけにマッチする。

{{{
   3.  The client MAY match a presented identifier in which the wildcard
       character is not the only character of the label (e.g.,
       baz*.example.net and *baz.example.net and b*z.example.net would
       be taken to match baz1.example.net and foobaz.example.net and
       buzz.example.net, respectively).  However, the client SHOULD NOT
       attempt to match a presented identifier where the wildcard
       character is embedded within an A-label or U-label [IDNA-DEFS] of
       an internationalized domain name [IDNA-PROTO].
}}}
'*'がラベルの一部に現れる場合、IDAとはマッチしないものとする。
  matchする例：　(必要があるとも思えない例だ。)

{{{
　　 baz*.example.net : baz1.example.net
     *baz.example.net : foobaz.example.net
     b*z.example.net  : buzz.example.net
}}}

== 議論 ==
もっともっと議論が必要な状況だ。

Support for certificate partial wildcard in middle of identifier 
https://github.com/openssl/openssl/issues/4293

https://www.rfc-editor.org/errata_search.php?rfc=6125

richsalz commented on Aug 31, 2017
{{{
Wildcards are risky as the errata shows.
However they are widely used, with "*.foo.bar" as the only form that is in public use,
so supporting that is reasonable.
Embedded wildcards are more risky and there is no demand for them.
}}}

Wed, 06 October 2010 21:47 
https://mailarchive.ietf.org/arch/msg/certid/wJqsOTEl1oWtjU8enZmvEIzAS6o