Question:  

Does ACF2 support digital certificates with a wildcard character in the CN field?

Answer: 

ACF2 supports the use of an "*" wildcard character in the common name(CN) field of a digital certificate.

An ACF2 CERTDATA Profile Data Record is used to associate a digital certificate with a user. The subject's distinguished name SUBJDN(dn) of this record includes the common name(CN).

A digital certificate CN=common name specifies the subject's regular name. For example, Sam Smith would be specified as CN='Sam Smith'. An '*' wildcard character may be used as the leftmost byte of the CN attribute with the same end-domain name, as in CN='*.example.com':

For instance, a site may have three SSL servers with the following names:

www.example.com
w3.example.com
secure.example.com

For this example, the site may buy a single certificate containing the name *.example.com.

This allows the certificate to have a wildcard (*) in the common name (CN). With the wildcard, you may have a single certificate installed on a group of servers with the same end-domain name. This allows multiple servers to be given duplicates of the same wildcarded certificate that authenticates a set of servers.

The certificate stored in the ACF2 database with a wildcard character in the CN may look like the following.

  CERTDATA / EXAMPLE.CERT LAST CHANGED BY USER01 ON 02/02/09-17:24 
  ACTIVE(02/02/09) CERTID(01.CN=histrust CA cert20) EXPIRE(02/02/10) 
  LABEL(USER01.MYCERT) SUBJDN(CN=*.example.com) TRUST 

For details on the ACF2 CERTDATA Profile Data Record see the CA ACF2  for z/OS Administrator Guide section "USER Profile Records", sub-section " CERTDATA Profile Data Records".

-