# Role Allows Glob-Based Wildcard Issuance

This health check evaluates defined roles to determine whether any of them simultaneously allow both glob domains and wildcard certificate issuance.\
When both `allow_glob_domains` and `allow_wildcard_certificates` are enabled in a role, it can lead to unintended certificate behaviors such as nested wildcards, increasing the risk of misuse or misconfiguration.

#### **Health Check Name**: `role_allows_glob_wildcards`

#### **Accessed APIs**

| HTTP Method | API Endpoint   | Description                                     |
| ----------- | -------------- | ----------------------------------------------- |
| LIST        | `/roles`       | Lists all roles configured in the PKI mount.    |
| READ        | `/roles/:name` | Retrieves detailed configuration for each role. |

#### **Configuration Parameters**

| Parameter       | Type | Default | Description                                                         |
| --------------- | ---- | ------- | ------------------------------------------------------------------- |
| `allowed_roles` | list | `nil`   | A list of role names to ignore during this health check evaluation. |

#### **Health Check Results**

| Condition Evaluated                                                            | Result                                                                                                       |
| ------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------ |
| Role has both `allow_glob_domains=true` and `allow_wildcard_certificates=true` | *Warning issued* – Role allows both glob domains and wildcard certs, which may lead to risky configurations. |

#### **Recommended Actions**

* Split any role that currently allows both glob domains and wildcard certificates into two separate roles.
* Ensure that:
  * Each role either allows glob domains or wildcard certificates, but not both.
  * Roles allowing both types are only used when absolutely necessary and required to cover all SANs on a certificate.
* Add such necessary roles to the `allowed_roles` list to suppress warnings in future health checks.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.enclaive.cloud/virtual-hsm/troubleshooting/role-allows-glob-based-wildcard-issuance.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.