certificates How to create a dns allow policy that can use sub-sub domains?

How to create a dns allow policy that can use sub-sub domains?

Open akumar-xyz opened this issue 1 year ago • 2 comments

Hello!

Vote on this issue by adding a 👍 reaction
If you want to document this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Affected area/feature

When configuring CA issuance policy, how to allow all sub-sub domains i.e. wildcard that expands to multiple labels?

For clarity:

*.acme.com
- MATCHES xyz.acme.com
- NOT MATCH xyz.cloud.acme.com
*.*.acme.com - NOT ALLOWED (cannot parse permitted URI domain constraint "*.*.acme.com": URI domain constraint "*.*.acme.com" can only have wildcard as starting character)
.acme.com - NOT ALLOWED (cannot parse permitted domain constraint ".acme.com": domain constraint ".acme.com" with wildcard should start with *)

I also tried 3 because RFC5280 states:

When the constraint begins with a period, it MAY be expanded with one or more labels. That is, the constraint ".example.com" is satisfied by both host.example.com and my.host.example.com. However, the constraint ".example.com" is not satisfied by "example.com".

As far as I can tell, the matching rules are more similar to RFC2818 which would mean what I'm trying to do is not possible.

Is it possible to match for all sub-sub domains with just one rule? Something like **.acme.com? Is the only solution to maintain a list of subdomains as well?

Nov 02 '24 06:11 akumar-xyz

certificates certificates copied to clipboard

How to create a dns allow policy that can use sub-sub domains?

Hello!

Affected area/feature

certificates
certificates copied to clipboard