PCI is a joke, IMHO. It’s well intentioned. But throws errors for all kinds of things that aren’t.
> On Apr 14, 2018, at 07:09, Paul Stewart <p...@paulstewart.org> wrote: > > Currently we still use some wildcards and have never had issues with PCI > (level 1) compliance from using them …. > > Paul > > > From: Af <af-boun...@afmug.com> on behalf of Jeremy <jeremysmi...@gmail.com> > Reply-To: <af@afmug.com> > Date: Wednesday, April 11, 2018 at 11:14 AM > To: <af@afmug.com> > Subject: [AFMUG] PCI Compliance scan rejecting wildcard cert (CN) > > We keep failing our PCI compliance over what I believe is an error on their > side. Our wildcard cert covers *.bluespring.me, which is used on multiple > servers. They are wanting an exact match to our domain on the CN, which is > "65-126-126-5.dia.static.bluespring.me". To me, *.bluesping.me IS a match. > If I change the CN to that specific billing server then it will not match the > website server. It was my understanding that this is the entire point of > having a wildcard cert. Anyone else ever gone through this? Does their > analysis that *.bluespring.me is NOT a match seem right to everyone here?