picture of tbs certificates
picture of tbs certificates
Our products range

What are limitations of Wildcard or OmniDomain certificates?

  • The wildcard character only replaces characters from 0 to 9 and from A to Z and dash (equivalent to [0-9A-Za-z\-]+)

  • The wildcard certificate works well for IIS except that the points are not taken into account in the star by Internet Explorer. This is a choice of Microsoft and the RFC 2818. The Mozilla family of tools was more tolerant than the norm, until Firefox 3.0.13 (NSS 3.12.3), which joins the commonly accepted operation of other browsers.

  • There is a limitation of ISA Server 2004 that allows to accept HTTPS requests on a wildcard certificate but the ISA server itself cannot initiate an HTTPS connection to an IIS server with a wildcard certificate. This works in ISA Server 2006.

  • Microsoft LCS (live communication server), Microsoft Office Communication Server and Lync (before version 2013) products that use SSL certificates do not allow the use of wildcard certificates.

  • Activesync only works with wildcards starting from Microsoft Mobile 6 (WM 3, 4, and 5 do not work with wildcards). A standard certificate is required.

  • Some mobile devices (cellphones) do not handle * character and display an error when checking the certificate.

  • Windows Mobile 5 does not support Wildcard certificates (no brand). On the other hand Windows Mobile 6 supports them

  • If you are using RPC over HTTPS, you'll need to set-up outlook, see RPC over HTTPS and ISA 2006 and Wildcard

  • You may encounter issues when using Wildcard certificates with Microsoft IIS 6 SP1 and IIS7

  • Barracuda Spam Firewalls can only create a certificate with a name that matches the server name. Technically, you can work around this issue by naming your server in the * format.
The following servers can not handle Wildcard certificates:
  • Novell iChain 2.3 SP3
  • Oracle Wallet Manager (previous versions to 11g)
  • Aventail (before its version 10.5)

What are the drawbacks of Wildcard or Omnidomains certificates?

  • the security: should a server hosting such a certificate be compromized, the other servers using that same certificate may be endangered as well (same private key).
  • the management: should a Wildcard or Omnidomain certificate be revoked, you'll have to remove it from all the servers that are using it.
  • The compatibility: to prevent issues you need to consider that the star only replaces one domain level.

Useful links