|
|
|
|
|
|
by pfg
3299 days ago
|
|
|
This is not intended to prohibit wildcard issuance. It just makes clear that identifiers in authorizations (and therefor challenges) are always actual FQDNs. You may still submit CSRs that include wildcard identifiers, and whether they're issued, which identifiers will have to be validated and what challenge type is required is up to CA policy. This is mentioned in section 10.5 of the spec[1]. To me, Let's Encrypt not supporting wildcards seems mostly like a policy decision where they're choosing not to support some use-cases in exchange for a security win: Not having the compromise of one domain affect certificate issuance for all of its subdomains, less overall complexity and preventing users from getting into the habit of using one wildcard certificate with the same key across multiple services. [1]: https://ietf-wg-acme.github.io/acme/#rfc.section.10.5 |
|
|