On Mon, May 14, 2012 at 1:33 PM, Andy GOKTAS <andy.gok...@state.or.us> wrote:
The bottom line is that *.<env> does prompt with the Mismatched address in the certificate, but testing the same cert configuration with <dnsalias>.<env> as the subjectAltName rather than *.<env>, it tests successfully (picks up the SubjectAltName and no prompts). I was just trying to find out where it may be documented with why wildcards are not allowed in SubjectAltNames for certificates - if this is the case of course.
PKIX (RFC2457/3280/5280/et seq) doesn't specify wildcard semantics. HTTP over TLS (RFC2818) does, and specifies them for both CN= and sAN. (It also deprecates CN=, and states that if sAN exists it MUST be used instead.)
What user implementation are you seeing this with? -Kyle H
Verify This Message with Penango.p7s
Description: S/MIME Cryptographic Signature
