= ACME/WildCardCertificate = <> <> HTTPの世界のひとはDNSのことを知らないらしい。 https://en.wikipedia.org/wiki/Wildcard_certificate 証明書を取り扱う業者によっては wildcard certificatesは使わないように勧めている。 https://www.thawte.com/resources/pdfs/Thawte_Multiuse_SSL_WP.pdf https://searchsecurity.techtarget.com/definition/wildcard-certificate Wildcard notation consists of an asterisk and a period before the domain name. == RFC == 2818, 6125 https://tools.ietf.org/html/rfc6125#page-27 6.4.3. Checking of Wildcard Certificates {{{ Only left-most labels, i.e. *.example.com but not www.*.com. This implicitly excludes multiple wildcards like *.*.example.com. A wildcard label can be matched only against a single label, i.e. *.example.com will match www.example.com but not sub.www.example.com. If the wildcard is not the full label (i.e. w*.example.com) it should not occur inside IDNA labels. }}} [[/6125]] == CAB == Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1_3_1.pdf == example == "*.example.com" は {{{ payment.example.com contact.example.com login-secure.example.com www.example.com }}} 含まれない。(DNSとの違い) {{{ test.login.example.com }}} Because the wildcard only covers one level of subdomains (the asterisk doesn't match full stops. (RFC2818) この部分でRFCを持ち出すのもおかしいか。HTTPだからいいのか。-- ToshinoriMaeno <> == limitations == Only a single level of subdomain matching is supported in accordance with RFC 2818 In addition, wildcards themselves can have subjectAltName extensions, including other wildcards. https://www.tbs-certificates.co.uk/FAQ/en/320.html What are limitations of Wildcard or OmniDomain certificates? The wildcard character only replaces characters from 0 to 9 and from A to Z and dash (equivalent to [0-9A-Za-z\-]+) == Examples == 「正しいとはかぎらない」との断りがある。(DNSとかなり異なる) The wildcard may appear anywhere inside a label (aka "partial-wildcard"). DNS challenge validationを考えると、この主張は無理がある。-- ToshinoriMaeno <> Do not allow a label that consists entirely of just a wildcard unless it is the left-most label. (というよりも、最初のラベルだけでしか使えない。) A cert with multiple wildcards in a name is not allowed. "*.*.domain.com" A cert with * plus a top-level domain is not allowed. "*.com" Too general and should not be allowed. "*" == 実装 == https://www.ssl.com/ssl-wildcard-certificates browserがどう扱うかという問題もあるらしい。 Comodo : http://valuessl.net/ssl-certificate/comodo/comodopositivesslwildcard.php JPRS: https://jprs.jp/pubcert/about/wildcard/ フィーチャーフォンのブラウザからはワイルドカード証明書を設定したWebサイトを表示することができません。 複数階層のサブドメインには対応していない digicert: https://dc.cybertrust.co.jp/ssl/wildcard-ssl-certificates.html DigiCert のワイルドカード証明書はコモンネームと同じドメインであれば、 Subject Alternative Names(サブジェクトの別名)を使用して、 コモンネームと異なる階層の FQDN を追加可能なため、「example.com」というドメイン名そのものや、「support.mail.example.com」のような別の階層の FQDN も 1 枚で利用可能です。 https://www.digicert.com/subject-alternative-name.htm 個別に追加することになる。(wildcardも可能か) https://www.geotrust.co.jp › SSL/TLS入門ガイド == phishing == Wildcard SSL Certificates and Phishing: A Match Made in Heaven Read more at: https://www.thesslstore.com/blog/wildcard-ssl-certificates-phishing-match-made-heaven/ https://www.thesslstore.com/blog/wildcard-ssl-certificates-phishing-match-made-heaven/ {{{ With a Wildcard certificate, the left-most label of the domain name is replaced with an asterisk. There are restrictions on Wildcards that limit the scenarios they can be used in. There can only be one “*” and it must be in the left-most position. So, “www.*.secure.com” is not allowed. It also cannot be used directly after the TLD. So “*.com” is not allowed. If a large proportion of phishing sites begin using Wildcard certificates instead of single-domain or multi-domain certificate it will make CT logs an ineffective detection systems. }}}