Accepted wildcards used by server certificates for server authentication

Article translations Article translations
Article ID: 258858 - View products that this article applies to.
This article was previously published under Q258858
Expand all | Collapse all

On This Page

SUMMARY

Implementation of SSL/TLS in the SCHANNEL security provider allows for the use of wildcard characters in server certificates in all operating systems except in Microsoft Windows 2000 with service packs installed. When you install Windows 2000 Service Pack 1 or later, this functionality is already present.

MORE INFORMATION

When SCHANNEL is used to authenticate a server during an HTTPS session, the server presents a certificate. This certificate has a common name that is compared against the server name extracted from the remote resource request. For example, if you point your browser to https://www.e-commerce.example.com/, SCHANNEL ensures that the server presents a certificate with the common name www.e-commerce.example.com; otherwise it informs the application that the server authentication failed.

A variation on this certificate-matching scheme has been documented in RFC 2595 and draft RFC specs for other protocols. This functionality allows the server certificate to have a wildcard (*) in the common name (CN). With the wildcard, you may have a single certificate (or only one CN in the certificate) installed on a group of servers with somewhat similar names. The implementation is designed so that multiple servers are given duplicates of the same wildcarded certificate that authenticates a set of servers. For instance, a company may have three SSL e-commerce servers with the following names:
www.e-commerce.example.com
w3.e-commerce.example.com
secure.e-commerce.example.com
For this example, the company may buy a single certificate containing the name *.e-commerce.example.com.

The following are some examples of how wildcards should and should not be used for maximum interoperability.

Accepted wildcard examples

  • www.example.com matches www.example.com
  • *.example.com matches www.example.com
  • w*.example.com matches www.example.com
  • ww*.example.com matches www.example.com
  • Www.Example.com matches www.examPle.cOm

Nonaccepted wildcard examples

  • *www.example.com
  • *w.example.com
  • w*w.example.com
  • *ww.example.com does not match www.example.com
  • www.e*ample.com does not match www.example.com
  • www.*ample.com does not match www.example.com
  • www.ex*.com does not match www.example.com
  • www.*.com does not match www.example.com
  • example.com does not match *.com does not match www.example.com
  • www.example.abc.com does not match *.abc.com
  • example.com does not match *.*
  • example does not match *
  • abc.def.example.com does not match a*.d*.example.com
  • www.example.com.au does not match *.*.com.au
  • www.example.com.au does not match www.*.com.au

Properties

Article ID: 258858 - Last Review: January 22, 2010 - Revision: 8.0
APPLIES TO
  • Microsoft Windows 2000 Server
  • Windows 7 Enterprise
  • Windows 7 Home Basic
  • Windows 7 Home Premium
  • Windows 7 Professional
  • Windows 7 Starter
  • Windows 7 Ultimate
  • Windows Vista Business
  • Windows Vista Enterprise
  • Windows Vista Home Basic
  • Windows Vista Home Premium
  • Windows Vista Starter
  • Windows Vista Ultimate
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional
  • Windows Server 2008 for Itanium-Based Systems
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Standard
  • Windows Server 2008 Service Pack 2
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Microsoft Windows Server 2003 R2 Datacenter Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Datacenter x64 Edition
  • Microsoft Windows Server 2003 R2 Enterprise Edition (32-Bit x86)
  • Microsoft Windows Server 2003 R2 Enterprise x64 Edition
  • Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003 R2 Standard x64 Edition
  • Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Windows Server 2003 Service Pack 2
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
Keywords: 
kbenv kbinfo KB258858

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com