Hi Gentleman, Here's another that looks illegal per the RFCs and CA/B Baseline.
Create a server cert with a single SAN of "WWW.*.COM": $ openssl x509 -in server-rsa-cert.pem -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 9008050290962543110 (0x7d0306034fad3206) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Example, LLC, CN=Example CA Validity Not Before: Jan 1 00:00:00 2014 GMT Not After : Jan 1 00:00:00 2024 GMT Subject: O=Example, LLC, CN=Example Certificate Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:b0:3b:86:b8:17:4e:0f:b7:d5:ff:9b:4a:16:32: ... aa:7a:2e:24:75:25:20:e6:5e:5c:c2:67:56:0f:14: dd:0b Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:www.*.com X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Key Encipherment, Key Agreement X509v3 Subject Key Identifier: B5:AF:38:82:0C:C4:32:6E:9F:F5:F1:97:83:49:26:8D:AB:CB:3C:88 X509v3 Authority Key Identifier: keyid:B1:77:69:71:06:C6:25:90:28:B8:BA:49:70:A1:2F:3F:0F:32:C0:3C ... Start the server: $ openssl s_server -accept 8443 -www -certform PEM -cert server-rsa-cert-2.pem -keyform PEM -key server-rsa-key-plain.pem -tls1 -cipher HIGH:-EDH:-DHE Make a client request trusting the exemplary CA: $ wget https://www.example.com:8443 --ca-certificate ca-rsa-cert.pem --2014-03-21 23:05:24-- https://www.example.com:8443/ Resolving www.example.com (www.example.com)... 127.0.0.1 Connecting to www.example.com (www.example.com)|127.0.0.1|:8443... connected. HTTP request sent, awaiting response... 200 ok Length: unspecified [text/html] Saving to: `index.html' ... $ wget https://www.foo.com:8443 --ca-certificate ca-rsa-cert.pem --2014-03-21 23:06:46-- https://www.foo.com:8443/ Resolving www.foo.com (www.foo.com)... 127.0.0.1 Connecting to www.foo.com (www.foo.com)|127.0.0.1|:8443... connected. HTTP request sent, awaiting response... 200 ok Length: unspecified [text/html] Saving to: `index.html.1' ... $ wget https://www.bar.com:8443 --ca-certificate ca-rsa-cert.pem --2014-03-21 23:06:54-- https://www.bar.com:8443/ Resolving www.bar.com (www.bar.com)... 127.0.0.1 Connecting to www.bar.com (www.bar.com)|127.0.0.1|:8443... connected. HTTP request sent, awaiting response... 200 ok Length: unspecified [text/html] Saving to: `index.html.2' ... ***** I also found a server certificate with two SANs is most useful: one "*.COM", and one "WWW.*.COM". I've also got a really cool "one cert to rule them all". Its got the top levels (*.COM, *.NET, etc) and the named host variants (WWW.*.COM, WWW.*.NET, MAIL.*.COM, MAIL.*.NET, FTP.*.COM, FTP.*.NET). ***** Attached is the cert with "WWW.*.COM". All the other parameters (CA key and cert, server key) are the same, but they were attached for convenience. ***** This was also sent this to the GnuTLS folks, but I wanted to give the Wget project a heads up. Jeffrey Walton
server-rsa-cert.pem
Description: application/x509-ca-cert
server-rsa-key-plain.pem
Description: application/x509-ca-cert
ca-rsa-cert.pem
Description: application/x509-ca-cert