Role Allows Glob-Based Wildcard Issuance
Perform the recommended actions to ensure that none of the defined roles simultaneously allow both glob domains and wildcard certificate issuance.
This health check evaluates defined roles to determine whether any of them simultaneously allow both glob domains and wildcard certificate issuance.
When both allow_glob_domains and allow_wildcard_certificates are enabled in a role, it can lead to unintended certificate behaviors such as nested wildcards, increasing the risk of misuse or misconfiguration.
Health Check Name: role_allows_glob_wildcards
role_allows_glob_wildcardsAccessed APIs
LIST
/roles
Lists all roles configured in the PKI mount.
READ
/roles/:name
Retrieves detailed configuration for each role.
Configuration Parameters
allowed_roles
list
nil
A list of role names to ignore during this health check evaluation.
Health Check Results
Role has both allow_glob_domains=true and allow_wildcard_certificates=true
Warning issued – Role allows both glob domains and wildcard certs, which may lead to risky configurations.
Recommended Actions
Split any role that currently allows both glob domains and wildcard certificates into two separate roles.
Ensure that:
Each role either allows glob domains or wildcard certificates, but not both.
Roles allowing both types are only used when absolutely necessary and required to cover all SANs on a certificate.
Add such necessary roles to the
allowed_roleslist to suppress warnings in future health checks.
Last updated
Was this helpful?