1

I think this is more urban legend around where I work than anything. I do not see anything in RFC 2459 that specifically says whether or not they should be used or if there are any known problems with using them. It only says:

From RFC 2459

Finally, the semantics of subject alternative names that include wildcard characters (e.g., as a placeholder for a set of names) are not addressed by this specification. Applications with specific requirements may use such names but shall define the semantics."

That whole statement is difficult for me to interpret. I'm really more interested in the functionality of a self signed wildcard but if there is any security issues around using them I would certainly like to know that as well.

RoraΖ
  • 12,347
  • 4
  • 51
  • 83
user53029
  • 2,687
  • 5
  • 24
  • 35
  • 1
    Are you perhaps confusing SAN certs with self-signed certs? The quote you provide basically says "You can stuff wildcards into a SAN, but there's no guarantee any client will do what you want with them." – gowenfawr Jul 13 '15 at 15:34

1 Answers1

3

Should wildcard certs be used?

Generally not, and here's a good list of reasons why. Subject Alternative Name (SAN) certs provide most of the functionality without the same level of security drawbacks. Wildcards had turned mostly into a lazy shortcut for people who didn't care about security, which is why they're discouraged these days.

Should wildcards be used in SAN names?

The RFC you've quoted says that you're welcome to use wildcard characters in a SAN name, but that they are not reserved to mean "wildcard", so the interpretation is up to the client. If you're writing your own client to use your own service and your own certs, hey, go wild. But nobody else's browser is likely to play.

Should self-signed certs be used?

Depends on what you're using them for. Internal resources where you control the trusted root store for the client browsers? Sure. Cheap web hosting of your kitten pictures? Sure. Otherwise, use caution. There are plenty of good questions on this site if you want to learn about the nuances of self-signed certs.

Does self-signed have anything to do with wildcards?

No, not particularly. As per my comment above, you may have confused SAN and self-signed. Wildcard certs should be avoided equally for self-signed and CA-signed certs. The potential negative impact is somewhat less when self-signed, due to the limited client trust of the self-signed CA, but that doesn't make them a good idea.

Community
  • 1
gowenfawr
  • 72,355
  • 17
  • 162
  • 199
  • 1
    Nope. no confusion. I am specifically asking if something like *.example.com should be avoided using a self-signed cert, not a CA signed cert. – user53029 Jul 13 '15 at 15:51
  • *.example.com should be avoided equally for self-signed and CA-signed certs; there is no affinity to the method of signing. – gowenfawr Jul 13 '15 at 17:28
  • Ok, are you basing this strictly off of problems that could be encountered with client interpretation or something else? – user53029 Jul 13 '15 at 18:43