Question: why doesn't my wildcard matching work with OpenSSL?

Michael Wojcik Michael.Wojcik at
Mon Jun 10 20:12:15 UTC 2019

I don't know why you sent this to me directly rather than to the list.

> From: Paul Smith [mailto:paul at]
> Sent: Monday, June 10, 2019 12:54
> To: Michael Wojcik
> On Mon, 2019-06-10 at 18:49 +0000, Michael Wojcik wrote:
> > Argh. You cut out the actual relevant information. We need to see the
> > server certificate.
> >
> > In particulary, does it contain any Subject Alternative Name
> > extensions?
> What I cut out was only the base64-encoded certificate.

Yes. That was what we needed to see. The certificate.

> There weren't any settings shown there.

I didn't mention "settings". I discussed Subject Alternative Name extensions, which are part of the certificate.

> > I have a vague memory that wildcard matching only works with SANs.

As it turns out, you're hitting the OpenSSL restriction on wildcards with fewer than two domain components, as Viktor explained. I'd forgotten about that restriction.

However, I still recommend using a proper X.509v3 server certificate with one or more SANs. If you're running your own CA using the openssl utiltity, there are various online tutorials showing how to generate modern certificates.

Michael Wojcik
Distinguished Engineer, Micro Focus

More information about the openssl-users mailing list