Cert Manager allows the creation of Illegal wilcard SANs

Apologies if this isn't a cert-manager issue per se. I have a client using cert-manager who created a certificate with wildcard SAN using `*-`, which is not a legal DNS wildcard, as per [RFC 44592](https://www.rfc-editor.org/rfc/rfc4592#section-2.1.1).

Using `keytool -list -v keystore.jks`, we can see the illegal SAN that uses `*-`
```
SubjectAlternativeName [
  DNSName: my.example.com
  DNSName: *-my.example.com
]
```
If I try to create my own certificate with `*-` locally using using `keytool`, I correctly get an error:
```
keytool error: java.lang.RuntimeException: java.io.IOException: DNSName components must begin with a letter, digit, or the first component can have only a wildcard character *
```

How is it possible cert-manager issued a certificate with an illegal SAN? Is this a bug in cert-manager, or on the issuer side?

Apologies if I misunderstood anything critical. I'm just trying to understand how this could have happened.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Cert Manager allows the creation of Illegal wilcard SANs #1620

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Cert Manager allows the creation of Illegal wilcard SANs #1620

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions