Feat: docs: guides: certificates: admonition on wildcard SAN in the CSR by...

This [CSR][] is ready to use with a [CA][].

!!! info Wildcard SAN in the CSR by default

    Onionspray adds a [wildcard][] as a [Subject Alternative

    Name][subjectAltName] (SAN) by default in the resulting [CSR][], which

    should be harmless if a certificate being purchased/requested won't have

    a [wildcard][], as it's the [CA][]'s job to parse and remove

    [SANs][subjectAltName] that does not belong to an order).

    The rationale behind that is discussed at [tpo/onion-services/onionmine#39][].

    If you find problems with a [CA][] not accepting your [CSR][] because of

    that -- like if you're purchasing a regular, non-wildcard certificate, but

    your [CSR][] has a [wildcard][] in the `subjectAltName`, please open an

    [issue report][].

[wildcard]: https://en.wikipedia.org/wiki/Public_key_certificate#Wildcard_certificate

[subjectAltName]: https://en.wikipedia.org/wiki/Public_key_certificate#Subject_Alternative_Name_certificate

[tpo/onion-services/onionmine#39]: https://gitlab.torproject.org/tpo/onion-services/onionmine/-/issues/39

[issue report]: ../contact.md

### 3. Proof of .onion possession command { #proof-of-possession }

The [CSR][] is not enough for getting a [CA][]-issued certificate.