Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
picture of tbs certificates
picture of tbs certificates
Our products range

What are limitations of Wildcard or OmniDomain certificates?

  • The wildcard character only replaces characters from 0 to 9 and from A to Z and dash (equivalent to [0-9A-Za-z\-]+)

  • The wildcard certificate works fine under IIS except that the points are not taken into account in the star by Internet Explorer. It is a deliberate choice from Microsoft and the RFC 2818. The Mozilla family tools were more tolerant until Firefox 3.0.13 (NSS 3.12.3) that holds with the common functioning of the other browsers.

  • There is a limitation of ISA Server 2004 that allows HTTPS requests to be accepted on a wildcard certificate but the ISA server itself does not know how to initiate an HTTPS connection on an IIS server with a wildcard certificate. It works in ISA Server 2006.

  • Microsoft LCS (live communication server), Lync and Office Communication Server products that use SSL certificates can not handle Wildcard certificates.

  • Activesync only works with wildcards starting from Microsoft Mobile 6 (WM 3, 4, and 5 do not work with wildcards). A standard certificate is required.

  • Some mobile devices (cellphones) do not handle * character and display an error when checking the certificate.

  • Windows Mobile 5 does not support Wildcard certificates (no brand). On the other hand Windows Mobile 6 supports them

  • If you are using RPC over HTTPS, you'll need to set-up outlook, see RPC over HTTPS and ISA 2006 and Wildcard

  • You may encounter issues when using a Wilcard certificate with Exchange

  • You can encounter issues while using Wildcard certificate with Microsoft IIS

  • Barracuda Spam Firewalls can only create a certificate with a name that matches the server name. Technically, you can work around this issue by naming your server in the * format.
The following servers can not handle Wildcard certificates:
  • Novell iChain 2.3 SP3
  • Oracle Wallet Manager
  • Aventail (before its version 10.5)

What are the drawbacks of Wildcard or Omnidomains certificates?

  • the security: should a server hosting such a certificate be compromized, the other servers using that same certificate may be endangered as well (same private key).
  • the management: should a Wildcard or Omnidomain certificate be revoked, you'll have to remove it from all the servers that are using it.
  • The compatibility: to prevent issues you need to consider that the star only replaces one domain level.

Useful links