Does ACF2 support digital certificates with a wildcard character in the CN field?
ACF2 supports the use of an "*" wildcard character in the common name(CN) field of a digital certificate.
An ACF2 CERTDATA Profile Data Record is used to associate a digital certificate with a user. The subject's distinguished name SUBJDN(dn) of this record includes the common name(CN).
A digital certificate CN=common name specifies the subject's regular name. For example, Sam Smith would be specified as CN='Sam Smith'. An '*' wildcard character may be used as the leftmost byte of the CN attribute with the same end-domain name, as in CN='*.example.com':
For instance, a site may have three SSL servers with the following names:
For this example, the site may buy a single certificate containing the name *.example.com.
This allows the certificate to have a wildcard (*) in the common name (CN). With the wildcard, you may have a single certificate installed on a group of servers with the same end-domain name. This allows multiple servers to be given duplicates of the same wildcarded certificate that authenticates a set of servers.
The certificate stored in the ACF2 database with a wildcard character in the CN may look like the following.
CERTDATA / EXAMPLE.CERT LAST CHANGED BY USER01 ON 02/02/09-17:24
ACTIVE(02/02/09) CERTID(01.CN=histrust CA cert20) EXPIRE(02/02/10)
LABEL(USER01.MYCERT) SUBJDN(CN=*.example.com) TRUST
For details on the ACF2 CERTDATA Profile Data Record see the CA ACF2 for z/OS Administrator Guide section "USER Profile Records", sub-section " CERTDATA Profile Data Records".