How I do to create a wildcard certificate for ALL domains?
Here is my error:
CACERTIFICATE.crt is imported as trusted in my browser.
SERVERCERTICIATE.crt and SERVERPRIVATEKEY.key is used in a proxy server which scans SSL traffic for virus.
The problem is that I in IE has to uncheck:
"Tools – Internet Options – Advanced – Warn if adresses in certificates does not match*"
for it to not complain about the certificate. (In the picture eicarcert.PNG I have the setting unchecked, and you see that the cert is trusted).
In firefox (latest), I have to click "Add a security exception" for EVERY SSL-site im visiting. Its pretty irritating to have to "Add a security exception" for every SSL site im visiting even if the certificate is trusted.
The firefox pushed out a update to ther SSL handling disallowing * to cover . in domains.
Even having a certificate like *.*.* does not makes the browser trust it.
Is it any way to create a certificate valid for ALL domains over the whole globe?
Best Answer
Unfortunately there has never been a good RFC on how wildcard matching works so the different implementations (SChannel and NSS mainly) are slightly different. However, here's the draft standard which will pin this down:
https://datatracker.ietf.org/doc/html/draft-saintandre-tls-server-id-check-09#section-4.4.3
And here's Microsoft's take on it:
support.microsoft.com/kb/258858
Basically, a wildcard may appear as the left-most label and it matches exactly one label. So *.example.com matches www.example.com, but not example.com (because that would mean matching zero labels).
'*' matches only 'com', 'org' etc. '*.*' is invalid.
So you can't do what you're trying to do. SSL MITM boxes have to install a root CA onto client machines and then generate certificates on the fly (with caching) for the domains that they want to intercept.
MITM also happen to be a terrible idea which impose huge costs on the rest of the world and break things constantly. Don't expect Chrome to work with them.