Bug #3733

Certificate manager doesn't allow wildcards in Subject Alternative Names

Added by Johan Braeken almost 7 years ago. Updated over 5 years ago.

Target version:
Start date:
Due date:
% Done:


Estimated time:
Affected Version:
Affected Architecture:
Release Notes:


Hi there,

Having a wildcard certificate in the DNS Subject Alternative Name is valid, but the pfSense webinterface doesn't allow this.
Instead, it displays an error message:

The following input errors were detected:

DNS subjectAltName values must be valid hostnames or FQDNs

Would it be possible to change the error checking of the webinterface so wildcard DNS names are allowed in the "DNS subjectAltName"-field?


#1 Updated by Daniel Schultheis almost 6 years ago

You can achive this behaviour by modifying the file /etc/inc/

The problem lies within the is_domain() method which checks if the entered domain is indeed a valid domain string. Search for this method inside /etc/inc/ and replace this line

if (preg_match('/^(?:(?:[a-z_0-9]|[a-z_0-9][a-z_0-9\-]*[a-z_0-9])\.)*(?:[a-z_0-9]|[a-z_0-9][a-z_0-9\-]*[a-z_0-9\.])$/i', $domain))

with the following

if (preg_match('/^(?:(?:[a-z_0-9\*]|[a-z_0-9][a-z_0-9\-]*[a-z_0-9])\.)*(?:[a-z_0-9]|[a-z_0-9][a-z_0-9\-]*[a-z_0-9\.])$/i', $domain))

This will allow a wildcard (*) as the first character allowing you to define wildcard domains in the SAN fields.

I hope this will make it inside the public release at some point.

#2 Updated by Jim Pingle almost 6 years ago

That change is unlikely to make it in unless it's in a separate function or a separate option to the function to activate the behavior. Allowing wildcards in that function unconditionally would allow them in other places where they are not functional (e.g. aliases, hostname fields for things like VPN peer addresses, etc).

#3 Updated by Daniel Schultheis almost 6 years ago

I've created a patch which now wraps this whole behaviour in a seperate function call.

In /usr/local/www/system_certmanager.php a new function is_wildcard_hostname() is called. This function is a copy of is_hostname() in /etc/inc/ which in return will call a new function is_wildcard_domain() which checks the hostname against the modified regular expression.

#4 Updated by Daniel Schultheis almost 6 years ago

I've just optimized the patch a bit to revert back to the original functions which now have an additional $allow_wildcard parameter which defaults to false if not set.

#5 Updated by Daniel Schultheis almost 6 years ago

I made a silly mistake which is now fixed. Here is an updated patch.

#6 Updated by Phillip Davis almost 6 years ago

It will be easy if you submit a pull request at
Then the devs can easily review, comment and commit...

#7 Updated by Daniel Schultheis almost 6 years ago

I've created the pull request @

#8 Updated by Chris Buechler over 5 years ago

  • Status changed from New to Confirmed
  • Priority changed from Low to Normal
  • Target version set to 2.3
  • Affected Version set to All

Thanks Daniel. Merge request won't cleanly merge anymore, added a note there. If you can get an ICLA on file and submit an updated pull request we'll get that in for 2.3.

#9 Updated by Daniel Schultheis over 5 years ago

I've now registered for the ICLA (Username: dachande) and just created a new pull request @

#10 Updated by Renato Botelho over 5 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

Pull request has been merged

#11 Updated by Jim Pingle over 5 years ago

  • Status changed from Feedback to Resolved

Works. I can make an FQDN SAN and it ends up in the cert

            X509v3 Subject Alternative Name: 

Also available in: Atom PDF