wildcard certificate private key

[StevenWegner]

Interesting. We use Wiz.io for cloud security and I got the following alert

"This container image contains a private key in cleartext, which belongs to a wildcard domain certificate that is signed by a CA.

An attacker that gains access to the resource could compromise the key. If that key is compromised, all secure connections to all servers and subdomains listed in the certificate will be compromised. Moreover, that attacker will be able to impersonate any domain protected by that wildcard certificate by creating a new sub-domain for the certificate's domain and use it for hosting malicious sites and phishing campaigns"

Ended up being /moto/tests/test_acm/resources/star_moto_com.pem just FYI for anyone else who gets similar alert.

[bblommers]

Hi @StevenWegner, thanks for sharing!

FYI, there is another private key in moto/moto_proxy/ca.key. That is a CA key though, I don't know whether wiz.io makes a distinction between them.