Dynamic/Wildcard SSL certificates with SNI ?

Gabriel L. Somlo gsomlo at gmail.com
Fri Jan 16 16:26:21 UTC 2015

On Thu, 15 Jan 2015 21:13:21, Rainer Duffner wrote:
> > Am 15.01.2015 um 20:50 schrieb Gabriel L. Somlo <gsomlo at gmail.com>:
> > 
> > There is no consistency across the set of vserver host names (and
> > therefore not much to be gained by using wildcards in the certificate
> > common or alt name fields).
> Just issue a certificate for *.*.* and always serve that.
> At least, until the CAB-forum decides this is a not a good idea and
> stops browsers from accepting it.
> I think the above certificate should still be legal, but I?m not 100% sure.

I'm afraid it's already too late for that :(

Since some of my vserver names look like "foo.com" and others like
"foo.bar.org", I already tried (using alt_names):

    *.*, *.*.*


    *.com, *.*.com, *.org, *.*.org, *.net, *.*.net

both forms causing warning popups on any recent (windows7-era) browser.

Apparently, the current policy in effect is not to accept tld-wide
wildcards, much less wildcards across ALL tlds ([*.]*.*).

Since I'm already mass-scripting the csr generation and cert signing
for each vserver, it should be really simple to script generating the
corresponding nginx config file, but allowing demand-driven, request-time
loading of certificate files would work around that enormous ugliness :)


More information about the nginx mailing list