Self-signed wildcard certificate
I've got pihole set up at home, so I want to be able to handle requests for any website with my own server, to show a "this site has been blocked" page.
I'm attempting to do this by creating a self-signed certificate for any url and installing this on my device. The commands I used to generate the certificate:
openssl genrsa 2048 > pihole.key
openssl req -new -x509 -nodes -days 36500
-key pihole.key
-subj "/C=NL/ST=Utrecht, Inc./CN=*"
-reqexts SAN
-config <(cat /etc/ssl/openssl.cnf
<(printf "n[SAN]nsubjectAltName=DNS:*,DNS:*"))
-out pihole.cert
openssl x509 -noout -fingerprint -text < pihole.cert > pihole.info
cat pihole.cert pihole.info > pihole.pem
service apache2 reload
I've installed this certificate on my windows device, and windows shows that it's a valid certificate.
However, chrome gives me a NET::ERR_CERT_COMMON_NAME_INVALID
, and edge gives me a similar error (DLG_FLAGS_SEC_CERT_CN_INVALID
)
Why is this? Is CN = *
just not allowed? How could I achieve what I want?
ssl certificate
|
show 1 more comment
I've got pihole set up at home, so I want to be able to handle requests for any website with my own server, to show a "this site has been blocked" page.
I'm attempting to do this by creating a self-signed certificate for any url and installing this on my device. The commands I used to generate the certificate:
openssl genrsa 2048 > pihole.key
openssl req -new -x509 -nodes -days 36500
-key pihole.key
-subj "/C=NL/ST=Utrecht, Inc./CN=*"
-reqexts SAN
-config <(cat /etc/ssl/openssl.cnf
<(printf "n[SAN]nsubjectAltName=DNS:*,DNS:*"))
-out pihole.cert
openssl x509 -noout -fingerprint -text < pihole.cert > pihole.info
cat pihole.cert pihole.info > pihole.pem
service apache2 reload
I've installed this certificate on my windows device, and windows shows that it's a valid certificate.
However, chrome gives me a NET::ERR_CERT_COMMON_NAME_INVALID
, and edge gives me a similar error (DLG_FLAGS_SEC_CERT_CN_INVALID
)
Why is this? Is CN = *
just not allowed? How could I achieve what I want?
ssl certificate
As a side note: For major websites your browser will probably not accept any certificate you manage to generate. Those sites use certificate-pinning and submit fingerprints of their TLS certs for inclusion in those browsers. Your cert won't match the stored fingerprint and will be blocked. Here's more info: noncombatant.org/2015/05/01/about-http-public-key-pinning
– Martijn Heemels
Nov 13 '18 at 12:44
self signed certs can be problematic as you have discovered. You could instead look at getting a "proper" certification from letsencrypt.org - they are free and support wildcards. Depending on how many of the hosts you were trying to cover with that * you actually need, one (or more) certs from letsencrypt could cover you
– Dave Smylie
Nov 13 '18 at 22:30
1
@DaveSmylie it's for an adblocker, I don't own the domains.
– Daniël van den Berg
Nov 14 '18 at 5:53
letsencrypt.org will give you signed certs for free
– Stewart
Nov 14 '18 at 10:43
1
Also of note: if you're using this for an adblocker, it might be better to just silently drop the connections to relevant servers instead of showing an alternative page. 90% of modern ads are initially loaded through JavaScript, so it's unlikely your alternative page is going to have any real visibility on the page. It's probably going to break stuff, actually, trying to load non-JavaScript resources as Javascript.
– Nzall
Nov 14 '18 at 14:13
|
show 1 more comment
I've got pihole set up at home, so I want to be able to handle requests for any website with my own server, to show a "this site has been blocked" page.
I'm attempting to do this by creating a self-signed certificate for any url and installing this on my device. The commands I used to generate the certificate:
openssl genrsa 2048 > pihole.key
openssl req -new -x509 -nodes -days 36500
-key pihole.key
-subj "/C=NL/ST=Utrecht, Inc./CN=*"
-reqexts SAN
-config <(cat /etc/ssl/openssl.cnf
<(printf "n[SAN]nsubjectAltName=DNS:*,DNS:*"))
-out pihole.cert
openssl x509 -noout -fingerprint -text < pihole.cert > pihole.info
cat pihole.cert pihole.info > pihole.pem
service apache2 reload
I've installed this certificate on my windows device, and windows shows that it's a valid certificate.
However, chrome gives me a NET::ERR_CERT_COMMON_NAME_INVALID
, and edge gives me a similar error (DLG_FLAGS_SEC_CERT_CN_INVALID
)
Why is this? Is CN = *
just not allowed? How could I achieve what I want?
ssl certificate
I've got pihole set up at home, so I want to be able to handle requests for any website with my own server, to show a "this site has been blocked" page.
I'm attempting to do this by creating a self-signed certificate for any url and installing this on my device. The commands I used to generate the certificate:
openssl genrsa 2048 > pihole.key
openssl req -new -x509 -nodes -days 36500
-key pihole.key
-subj "/C=NL/ST=Utrecht, Inc./CN=*"
-reqexts SAN
-config <(cat /etc/ssl/openssl.cnf
<(printf "n[SAN]nsubjectAltName=DNS:*,DNS:*"))
-out pihole.cert
openssl x509 -noout -fingerprint -text < pihole.cert > pihole.info
cat pihole.cert pihole.info > pihole.pem
service apache2 reload
I've installed this certificate on my windows device, and windows shows that it's a valid certificate.
However, chrome gives me a NET::ERR_CERT_COMMON_NAME_INVALID
, and edge gives me a similar error (DLG_FLAGS_SEC_CERT_CN_INVALID
)
Why is this? Is CN = *
just not allowed? How could I achieve what I want?
ssl certificate
ssl certificate
edited Nov 13 '18 at 9:08
Máté Juhász
14.3k63351
14.3k63351
asked Nov 13 '18 at 8:47
Daniël van den BergDaniël van den Berg
235213
235213
As a side note: For major websites your browser will probably not accept any certificate you manage to generate. Those sites use certificate-pinning and submit fingerprints of their TLS certs for inclusion in those browsers. Your cert won't match the stored fingerprint and will be blocked. Here's more info: noncombatant.org/2015/05/01/about-http-public-key-pinning
– Martijn Heemels
Nov 13 '18 at 12:44
self signed certs can be problematic as you have discovered. You could instead look at getting a "proper" certification from letsencrypt.org - they are free and support wildcards. Depending on how many of the hosts you were trying to cover with that * you actually need, one (or more) certs from letsencrypt could cover you
– Dave Smylie
Nov 13 '18 at 22:30
1
@DaveSmylie it's for an adblocker, I don't own the domains.
– Daniël van den Berg
Nov 14 '18 at 5:53
letsencrypt.org will give you signed certs for free
– Stewart
Nov 14 '18 at 10:43
1
Also of note: if you're using this for an adblocker, it might be better to just silently drop the connections to relevant servers instead of showing an alternative page. 90% of modern ads are initially loaded through JavaScript, so it's unlikely your alternative page is going to have any real visibility on the page. It's probably going to break stuff, actually, trying to load non-JavaScript resources as Javascript.
– Nzall
Nov 14 '18 at 14:13
|
show 1 more comment
As a side note: For major websites your browser will probably not accept any certificate you manage to generate. Those sites use certificate-pinning and submit fingerprints of their TLS certs for inclusion in those browsers. Your cert won't match the stored fingerprint and will be blocked. Here's more info: noncombatant.org/2015/05/01/about-http-public-key-pinning
– Martijn Heemels
Nov 13 '18 at 12:44
self signed certs can be problematic as you have discovered. You could instead look at getting a "proper" certification from letsencrypt.org - they are free and support wildcards. Depending on how many of the hosts you were trying to cover with that * you actually need, one (or more) certs from letsencrypt could cover you
– Dave Smylie
Nov 13 '18 at 22:30
1
@DaveSmylie it's for an adblocker, I don't own the domains.
– Daniël van den Berg
Nov 14 '18 at 5:53
letsencrypt.org will give you signed certs for free
– Stewart
Nov 14 '18 at 10:43
1
Also of note: if you're using this for an adblocker, it might be better to just silently drop the connections to relevant servers instead of showing an alternative page. 90% of modern ads are initially loaded through JavaScript, so it's unlikely your alternative page is going to have any real visibility on the page. It's probably going to break stuff, actually, trying to load non-JavaScript resources as Javascript.
– Nzall
Nov 14 '18 at 14:13
As a side note: For major websites your browser will probably not accept any certificate you manage to generate. Those sites use certificate-pinning and submit fingerprints of their TLS certs for inclusion in those browsers. Your cert won't match the stored fingerprint and will be blocked. Here's more info: noncombatant.org/2015/05/01/about-http-public-key-pinning
– Martijn Heemels
Nov 13 '18 at 12:44
As a side note: For major websites your browser will probably not accept any certificate you manage to generate. Those sites use certificate-pinning and submit fingerprints of their TLS certs for inclusion in those browsers. Your cert won't match the stored fingerprint and will be blocked. Here's more info: noncombatant.org/2015/05/01/about-http-public-key-pinning
– Martijn Heemels
Nov 13 '18 at 12:44
self signed certs can be problematic as you have discovered. You could instead look at getting a "proper" certification from letsencrypt.org - they are free and support wildcards. Depending on how many of the hosts you were trying to cover with that * you actually need, one (or more) certs from letsencrypt could cover you
– Dave Smylie
Nov 13 '18 at 22:30
self signed certs can be problematic as you have discovered. You could instead look at getting a "proper" certification from letsencrypt.org - they are free and support wildcards. Depending on how many of the hosts you were trying to cover with that * you actually need, one (or more) certs from letsencrypt could cover you
– Dave Smylie
Nov 13 '18 at 22:30
1
1
@DaveSmylie it's for an adblocker, I don't own the domains.
– Daniël van den Berg
Nov 14 '18 at 5:53
@DaveSmylie it's for an adblocker, I don't own the domains.
– Daniël van den Berg
Nov 14 '18 at 5:53
letsencrypt.org will give you signed certs for free
– Stewart
Nov 14 '18 at 10:43
letsencrypt.org will give you signed certs for free
– Stewart
Nov 14 '18 at 10:43
1
1
Also of note: if you're using this for an adblocker, it might be better to just silently drop the connections to relevant servers instead of showing an alternative page. 90% of modern ads are initially loaded through JavaScript, so it's unlikely your alternative page is going to have any real visibility on the page. It's probably going to break stuff, actually, trying to load non-JavaScript resources as Javascript.
– Nzall
Nov 14 '18 at 14:13
Also of note: if you're using this for an adblocker, it might be better to just silently drop the connections to relevant servers instead of showing an alternative page. 90% of modern ads are initially loaded through JavaScript, so it's unlikely your alternative page is going to have any real visibility on the page. It's probably going to break stuff, actually, trying to load non-JavaScript resources as Javascript.
– Nzall
Nov 14 '18 at 14:13
|
show 1 more comment
2 Answers
2
active
oldest
votes
It is not allowed. As a protocol-specific addition to the standard TLS hostname validation, all major web browsers (HTTPS clients) have basically agreed to restrict wildcard certificates to "eTLD+1" – that is, there must be an "effective TLD" plus one more non-wildcard component.
Generally this translates to requiring at least two components (*.example.net
is okay but *.net
is not, neither is a bare *
). The "effective TLD" rule expands this to multi-level suffixes as co.uk
that people use as indivisible "TLDs" in practice. (So *.example.ac.uk
is allowed but *.ac.uk
is not.)
You can inspect how the public suffix list is implemented in Chromium and in Mozilla.
See related discussion in Security.SE which has a quote from the CA-Browser Forum Baseline Requirements (which only apply to public WebPKI CAs, but still reflect the general implementation anyway):
CAs SHALL revoke any certificate where wildcard character occurs in the first label position immediately to the left of a “registry‐controlled” label or “public suffix”.
To avoid this restriction, build a certificate authority that issues certificates "on demand" for whatever website you try to visit. I don't know how that would be implemented in any regular web server, but this is a common method used by commercial TLS interception systems; antivirus programs and other malware; and development tools such as the Burp Proxy suite.
For example, the OpenResty web server (basically Nginx-with-Lua) has a ssl_certificate_by_lua
option to implement dynamic certificate generation. The Squid proxy supports certificate mimicking in its ssl-bump feature.
Also note that SANs completely override the Subject-CN if both are present. This makes including the CN mostly redundant (unless your client software is so ancient it lacks SAN support), and for public CAs web browsers don't even accept it anymore.
I already found about that TLD+1 limit empirically here in a project earlier on. Thanks for laying it out. +1
– Rui F Ribeiro
Nov 13 '18 at 12:32
Thanks for your elaborate answer, I guess that explains it yeah. Do you happen to know a different approach that I could use?
– Daniël van den Berg
Nov 13 '18 at 13:08
21
Upvoted for strategic placement of "and other malware".
– Džuris
Nov 13 '18 at 16:12
@DaniëlvandenBerg: I happen to have suggested one in the post itself. I've just added links to Nginx and Squid examples.
– grawity
Nov 14 '18 at 9:05
add a comment |
There can only be a single wildcard in a certificate (i.e. no *.*.example.com
), it can match only a single label (i.e. only www
, not www.example.com
), it can only be on the leftmost position (i.e. *.www.example.com
but not www.*.example.com
) and it cannot be inside the public suffix (i.e. no *.com
).
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1374959%2fself-signed-wildcard-certificate%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
It is not allowed. As a protocol-specific addition to the standard TLS hostname validation, all major web browsers (HTTPS clients) have basically agreed to restrict wildcard certificates to "eTLD+1" – that is, there must be an "effective TLD" plus one more non-wildcard component.
Generally this translates to requiring at least two components (*.example.net
is okay but *.net
is not, neither is a bare *
). The "effective TLD" rule expands this to multi-level suffixes as co.uk
that people use as indivisible "TLDs" in practice. (So *.example.ac.uk
is allowed but *.ac.uk
is not.)
You can inspect how the public suffix list is implemented in Chromium and in Mozilla.
See related discussion in Security.SE which has a quote from the CA-Browser Forum Baseline Requirements (which only apply to public WebPKI CAs, but still reflect the general implementation anyway):
CAs SHALL revoke any certificate where wildcard character occurs in the first label position immediately to the left of a “registry‐controlled” label or “public suffix”.
To avoid this restriction, build a certificate authority that issues certificates "on demand" for whatever website you try to visit. I don't know how that would be implemented in any regular web server, but this is a common method used by commercial TLS interception systems; antivirus programs and other malware; and development tools such as the Burp Proxy suite.
For example, the OpenResty web server (basically Nginx-with-Lua) has a ssl_certificate_by_lua
option to implement dynamic certificate generation. The Squid proxy supports certificate mimicking in its ssl-bump feature.
Also note that SANs completely override the Subject-CN if both are present. This makes including the CN mostly redundant (unless your client software is so ancient it lacks SAN support), and for public CAs web browsers don't even accept it anymore.
I already found about that TLD+1 limit empirically here in a project earlier on. Thanks for laying it out. +1
– Rui F Ribeiro
Nov 13 '18 at 12:32
Thanks for your elaborate answer, I guess that explains it yeah. Do you happen to know a different approach that I could use?
– Daniël van den Berg
Nov 13 '18 at 13:08
21
Upvoted for strategic placement of "and other malware".
– Džuris
Nov 13 '18 at 16:12
@DaniëlvandenBerg: I happen to have suggested one in the post itself. I've just added links to Nginx and Squid examples.
– grawity
Nov 14 '18 at 9:05
add a comment |
It is not allowed. As a protocol-specific addition to the standard TLS hostname validation, all major web browsers (HTTPS clients) have basically agreed to restrict wildcard certificates to "eTLD+1" – that is, there must be an "effective TLD" plus one more non-wildcard component.
Generally this translates to requiring at least two components (*.example.net
is okay but *.net
is not, neither is a bare *
). The "effective TLD" rule expands this to multi-level suffixes as co.uk
that people use as indivisible "TLDs" in practice. (So *.example.ac.uk
is allowed but *.ac.uk
is not.)
You can inspect how the public suffix list is implemented in Chromium and in Mozilla.
See related discussion in Security.SE which has a quote from the CA-Browser Forum Baseline Requirements (which only apply to public WebPKI CAs, but still reflect the general implementation anyway):
CAs SHALL revoke any certificate where wildcard character occurs in the first label position immediately to the left of a “registry‐controlled” label or “public suffix”.
To avoid this restriction, build a certificate authority that issues certificates "on demand" for whatever website you try to visit. I don't know how that would be implemented in any regular web server, but this is a common method used by commercial TLS interception systems; antivirus programs and other malware; and development tools such as the Burp Proxy suite.
For example, the OpenResty web server (basically Nginx-with-Lua) has a ssl_certificate_by_lua
option to implement dynamic certificate generation. The Squid proxy supports certificate mimicking in its ssl-bump feature.
Also note that SANs completely override the Subject-CN if both are present. This makes including the CN mostly redundant (unless your client software is so ancient it lacks SAN support), and for public CAs web browsers don't even accept it anymore.
I already found about that TLD+1 limit empirically here in a project earlier on. Thanks for laying it out. +1
– Rui F Ribeiro
Nov 13 '18 at 12:32
Thanks for your elaborate answer, I guess that explains it yeah. Do you happen to know a different approach that I could use?
– Daniël van den Berg
Nov 13 '18 at 13:08
21
Upvoted for strategic placement of "and other malware".
– Džuris
Nov 13 '18 at 16:12
@DaniëlvandenBerg: I happen to have suggested one in the post itself. I've just added links to Nginx and Squid examples.
– grawity
Nov 14 '18 at 9:05
add a comment |
It is not allowed. As a protocol-specific addition to the standard TLS hostname validation, all major web browsers (HTTPS clients) have basically agreed to restrict wildcard certificates to "eTLD+1" – that is, there must be an "effective TLD" plus one more non-wildcard component.
Generally this translates to requiring at least two components (*.example.net
is okay but *.net
is not, neither is a bare *
). The "effective TLD" rule expands this to multi-level suffixes as co.uk
that people use as indivisible "TLDs" in practice. (So *.example.ac.uk
is allowed but *.ac.uk
is not.)
You can inspect how the public suffix list is implemented in Chromium and in Mozilla.
See related discussion in Security.SE which has a quote from the CA-Browser Forum Baseline Requirements (which only apply to public WebPKI CAs, but still reflect the general implementation anyway):
CAs SHALL revoke any certificate where wildcard character occurs in the first label position immediately to the left of a “registry‐controlled” label or “public suffix”.
To avoid this restriction, build a certificate authority that issues certificates "on demand" for whatever website you try to visit. I don't know how that would be implemented in any regular web server, but this is a common method used by commercial TLS interception systems; antivirus programs and other malware; and development tools such as the Burp Proxy suite.
For example, the OpenResty web server (basically Nginx-with-Lua) has a ssl_certificate_by_lua
option to implement dynamic certificate generation. The Squid proxy supports certificate mimicking in its ssl-bump feature.
Also note that SANs completely override the Subject-CN if both are present. This makes including the CN mostly redundant (unless your client software is so ancient it lacks SAN support), and for public CAs web browsers don't even accept it anymore.
It is not allowed. As a protocol-specific addition to the standard TLS hostname validation, all major web browsers (HTTPS clients) have basically agreed to restrict wildcard certificates to "eTLD+1" – that is, there must be an "effective TLD" plus one more non-wildcard component.
Generally this translates to requiring at least two components (*.example.net
is okay but *.net
is not, neither is a bare *
). The "effective TLD" rule expands this to multi-level suffixes as co.uk
that people use as indivisible "TLDs" in practice. (So *.example.ac.uk
is allowed but *.ac.uk
is not.)
You can inspect how the public suffix list is implemented in Chromium and in Mozilla.
See related discussion in Security.SE which has a quote from the CA-Browser Forum Baseline Requirements (which only apply to public WebPKI CAs, but still reflect the general implementation anyway):
CAs SHALL revoke any certificate where wildcard character occurs in the first label position immediately to the left of a “registry‐controlled” label or “public suffix”.
To avoid this restriction, build a certificate authority that issues certificates "on demand" for whatever website you try to visit. I don't know how that would be implemented in any regular web server, but this is a common method used by commercial TLS interception systems; antivirus programs and other malware; and development tools such as the Burp Proxy suite.
For example, the OpenResty web server (basically Nginx-with-Lua) has a ssl_certificate_by_lua
option to implement dynamic certificate generation. The Squid proxy supports certificate mimicking in its ssl-bump feature.
Also note that SANs completely override the Subject-CN if both are present. This makes including the CN mostly redundant (unless your client software is so ancient it lacks SAN support), and for public CAs web browsers don't even accept it anymore.
edited Nov 14 '18 at 9:03
answered Nov 13 '18 at 9:01
grawitygrawity
236k37498553
236k37498553
I already found about that TLD+1 limit empirically here in a project earlier on. Thanks for laying it out. +1
– Rui F Ribeiro
Nov 13 '18 at 12:32
Thanks for your elaborate answer, I guess that explains it yeah. Do you happen to know a different approach that I could use?
– Daniël van den Berg
Nov 13 '18 at 13:08
21
Upvoted for strategic placement of "and other malware".
– Džuris
Nov 13 '18 at 16:12
@DaniëlvandenBerg: I happen to have suggested one in the post itself. I've just added links to Nginx and Squid examples.
– grawity
Nov 14 '18 at 9:05
add a comment |
I already found about that TLD+1 limit empirically here in a project earlier on. Thanks for laying it out. +1
– Rui F Ribeiro
Nov 13 '18 at 12:32
Thanks for your elaborate answer, I guess that explains it yeah. Do you happen to know a different approach that I could use?
– Daniël van den Berg
Nov 13 '18 at 13:08
21
Upvoted for strategic placement of "and other malware".
– Džuris
Nov 13 '18 at 16:12
@DaniëlvandenBerg: I happen to have suggested one in the post itself. I've just added links to Nginx and Squid examples.
– grawity
Nov 14 '18 at 9:05
I already found about that TLD+1 limit empirically here in a project earlier on. Thanks for laying it out. +1
– Rui F Ribeiro
Nov 13 '18 at 12:32
I already found about that TLD+1 limit empirically here in a project earlier on. Thanks for laying it out. +1
– Rui F Ribeiro
Nov 13 '18 at 12:32
Thanks for your elaborate answer, I guess that explains it yeah. Do you happen to know a different approach that I could use?
– Daniël van den Berg
Nov 13 '18 at 13:08
Thanks for your elaborate answer, I guess that explains it yeah. Do you happen to know a different approach that I could use?
– Daniël van den Berg
Nov 13 '18 at 13:08
21
21
Upvoted for strategic placement of "and other malware".
– Džuris
Nov 13 '18 at 16:12
Upvoted for strategic placement of "and other malware".
– Džuris
Nov 13 '18 at 16:12
@DaniëlvandenBerg: I happen to have suggested one in the post itself. I've just added links to Nginx and Squid examples.
– grawity
Nov 14 '18 at 9:05
@DaniëlvandenBerg: I happen to have suggested one in the post itself. I've just added links to Nginx and Squid examples.
– grawity
Nov 14 '18 at 9:05
add a comment |
There can only be a single wildcard in a certificate (i.e. no *.*.example.com
), it can match only a single label (i.e. only www
, not www.example.com
), it can only be on the leftmost position (i.e. *.www.example.com
but not www.*.example.com
) and it cannot be inside the public suffix (i.e. no *.com
).
add a comment |
There can only be a single wildcard in a certificate (i.e. no *.*.example.com
), it can match only a single label (i.e. only www
, not www.example.com
), it can only be on the leftmost position (i.e. *.www.example.com
but not www.*.example.com
) and it cannot be inside the public suffix (i.e. no *.com
).
add a comment |
There can only be a single wildcard in a certificate (i.e. no *.*.example.com
), it can match only a single label (i.e. only www
, not www.example.com
), it can only be on the leftmost position (i.e. *.www.example.com
but not www.*.example.com
) and it cannot be inside the public suffix (i.e. no *.com
).
There can only be a single wildcard in a certificate (i.e. no *.*.example.com
), it can match only a single label (i.e. only www
, not www.example.com
), it can only be on the leftmost position (i.e. *.www.example.com
but not www.*.example.com
) and it cannot be inside the public suffix (i.e. no *.com
).
answered Nov 13 '18 at 9:01
Steffen UllrichSteffen Ullrich
3,093714
3,093714
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1374959%2fself-signed-wildcard-certificate%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
As a side note: For major websites your browser will probably not accept any certificate you manage to generate. Those sites use certificate-pinning and submit fingerprints of their TLS certs for inclusion in those browsers. Your cert won't match the stored fingerprint and will be blocked. Here's more info: noncombatant.org/2015/05/01/about-http-public-key-pinning
– Martijn Heemels
Nov 13 '18 at 12:44
self signed certs can be problematic as you have discovered. You could instead look at getting a "proper" certification from letsencrypt.org - they are free and support wildcards. Depending on how many of the hosts you were trying to cover with that * you actually need, one (or more) certs from letsencrypt could cover you
– Dave Smylie
Nov 13 '18 at 22:30
1
@DaveSmylie it's for an adblocker, I don't own the domains.
– Daniël van den Berg
Nov 14 '18 at 5:53
letsencrypt.org will give you signed certs for free
– Stewart
Nov 14 '18 at 10:43
1
Also of note: if you're using this for an adblocker, it might be better to just silently drop the connections to relevant servers instead of showing an alternative page. 90% of modern ads are initially loaded through JavaScript, so it's unlikely your alternative page is going to have any real visibility on the page. It's probably going to break stuff, actually, trying to load non-JavaScript resources as Javascript.
– Nzall
Nov 14 '18 at 14:13