Searched on this, but can't find any clear answer - can a certificate SAN contain a name like "citrix*.domain.com", to permit use with citrixdirector.domain.com and citrixprod.domain.com, for example?
Asked
Active
Viewed 1,054 times
1 Answers
2
The current RFC governing checking of wildcards in DNS SANs is RFC 6125, Section 6.4.3.
According to those rules, a DNS SAN such as "citrix*.domain.com" is permitted. The catch, however, is that the RFC uses the MAY language, which means that it is up to the specific cert-checking client implementation whether it will check/allow such wildcards. Thus the real answer to your question will come down to the clients which are verifying your certs, e.g. browsers, client libraries, etc etc.
Hope this helps!
-
1Certificate issuers might also have their own restrictions on the SAN they accept. – Tero Kilkanen Jul 18 '16 at 18:45