1

I'm trying to create certificate for both test and *.test. I'm using minica to generate it and everything goes well (alt names are added):

X509v3 Subject Alternative Name:
                DNS:*.test, DNS:test

(and CA certificate is added to browsers' trusted root certification authorities store) but the certificate is rejected by both chrome and firefox.

marzelin
  • 10,790
  • 2
  • 30
  • 49
  • .test is not a valid dns name. Remove the period at the front of `.test` – John Hanley Mar 01 '19 at 07:23
  • Assuming you did not use weak certificate with Sha1 or 1024 length modulus, I think the latest versions of browsers also expect IPs in subject alternative name, so you can try adding them in your certificate – Pras Mar 01 '19 at 07:25

1 Answers1

1

Although you can create a valid certificate for second-level domain or even top level domain those certificates won't be respected by the browsers for security reasons (i.e. certificate for *.com would be very dangerous). So even though test is a reserved domain name that can't be registered by any registrar, the certificate will be rejected.

When you try to do this with mkcert you'll get pretty nice warning:

Warning: many browsers don't support second-level wildcards like *.test ⚠️

Use i.e. app.test + *.app.test instead.

marzelin
  • 10,790
  • 2
  • 30
  • 49
  • Browsers typically use the Public Suffix List, and also for cookies management, to see where boundaries exist and hence where wildcarding should not be allowed. – Patrick Mevzek Mar 07 '19 at 01:29