Open akumar-xyz opened 3 weeks ago
Hey @akumar-xyz, thank you for opening the issue.
For the current implementation we decided our issuance policies had to be simple to configure, and thus we decided to put limits on the usage of the wildcard to a single label. While it's true that the evaluation rules are similar to how X509 Name Constraints are defined and evaluated, they're not exactly the same, the main reason for which is to keep things simple.
If you need wildcards on multiple labels you'll indeed need to keep track of the subdomains, and define a rule for each. Or instead of using an issuance policy, you can implement a webhook receiver to fully control when a certificate is allowed to be signed using our webhooks support.
Hello!
Affected area/feature
When configuring CA issuance policy, how to allow all sub-sub domains i.e. wildcard that expands to multiple labels?
For clarity:
*.acme.com
xyz.acme.com
xyz.cloud.acme.com
*.*.acme.com
- NOT ALLOWED (cannot parse permitted URI domain constraint "*.*.acme.com": URI domain constraint "*.*.acme.com" can only have wildcard as starting character
).acme.com
- NOT ALLOWED (cannot parse permitted domain constraint ".acme.com": domain constraint ".acme.com" with wildcard should start with *
)I also tried 3 because RFC5280 states:
As far as I can tell, the matching rules are more similar to RFC2818 which would mean what I'm trying to do is not possible.
Is it possible to match for all sub-sub domains with just one rule? Something like
**.acme.com
? Is the only solution to maintain a list of subdomains as well?