I’m curious about any restrictions related to wildcard matching based on RFCs or general implementation rules.
RFC4592 gives an example using wildcards with just ‘example’ as the domain, like *.example.
To test this out, I tried setting up an environment that matches this kind of domain. However, when I use *.example, browsers reject it for not matching host.example.
When I change it to something like ‘host.domain.example’ with a corresponding wildcard like *.example.com, everything works fine.
Are there any updated RFCs that explain this behavior? I feel like I’m missing something simple, so I’d appreciate any explanations!
It can be confusing, but there’s no need for an update. Wildcard certificates only cover one level of subdomains, not base domains or TLDs.
RFC 6125 explains how hostnames and wildcard certificates should be validated, especially in browsers. RFC 4592 talks about DNS wildcards, but that doesn’t directly apply to TLS certificates.
So just to make sure I understand, because ‘.example’ is treated like a base domain or TLD, a valid wildcard needs to include a ‘domain’ portion? Meaning you can’t have *.example, and instead must use something like *.domain.example?