Role Allows Glob-Based Wildcard Issuance

Perform the recommended actions to ensure that none of the defined roles simultaneously allow both glob domains and wildcard certificate issuance.

This health check evaluates defined roles to determine whether any of them simultaneously allow both glob domains and wildcard certificate issuance. When both allow_glob_domains and allow_wildcard_certificates are enabled in a role, it can lead to unintended certificate behaviors such as nested wildcards, increasing the risk of misuse or misconfiguration.

Health Check Name: `role_allows_glob_wildcards`

Accessed APIs

HTTP Method

API Endpoint

Description

LIST

/roles

Lists all roles configured in the PKI mount.

READ

/roles/:name

Retrieves detailed configuration for each role.

Configuration Parameters

Parameter

Type

Default

Description

allowed_roles

list

nil

A list of role names to ignore during this health check evaluation.

Health Check Results

Condition Evaluated

Result

Role has both allow_glob_domains=true and allow_wildcard_certificates=true

Warning issued – Role allows both glob domains and wildcard certs, which may lead to risky configurations.

Recommended Actions

Split any role that currently allows both glob domains and wildcard certificates into two separate roles.
Ensure that:
- Each role either allows glob domains or wildcard certificates, but not both.
- Roles allowing both types are only used when absolutely necessary and required to cover all SANs on a certificate.
Add such necessary roles to the allowed_roles list to suppress warnings in future health checks.

PreviousRole Allows Implicit Localhost Issuance NextPerformance Impact

Last updated 3 months ago

Was this helpful?