# Role Allows Glob-Based Wildcard Issuance This health check evaluates defined roles to determine whether any of them simultaneously allow both glob domains and wildcard certificate issuance.\ When both `allow_glob_domains` and `allow_wildcard_certificates` are enabled in a role, it can lead to unintended certificate behaviors such as nested wildcards, increasing the risk of misuse or misconfiguration. #### **Health Check Name**: `role_allows_glob_wildcards` #### **Accessed APIs** | HTTP Method | API Endpoint | Description | | ----------- | -------------- | ----------------------------------------------- | | LIST | `/roles` | Lists all roles configured in the PKI mount. | | READ | `/roles/:name` | Retrieves detailed configuration for each role. | #### **Configuration Parameters** | Parameter | Type | Default | Description | | --------------- | ---- | ------- | ------------------------------------------------------------------- | | `allowed_roles` | list | `nil` | A list of role names to ignore during this health check evaluation. | #### **Health Check Results** | Condition Evaluated | Result | | ------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------ | | Role has both `allow_glob_domains=true` and `allow_wildcard_certificates=true` | *Warning issued* – Role allows both glob domains and wildcard certs, which may lead to risky configurations. | #### **Recommended Actions** * Split any role that currently allows both glob domains and wildcard certificates into two separate roles. * Ensure that: * Each role either allows glob domains or wildcard certificates, but not both. * Roles allowing both types are only used when absolutely necessary and required to cover all SANs on a certificate. * Add such necessary roles to the `allowed_roles` list to suppress warnings in future health checks.