The SSL cert issuing and validation process look clean individually, but this null character thingy spoils the party. Read more here. Good that Mozilla 3.5 is not vulnerable. Also, certain browsers restrict the validity of the wild card certs to a single level of indirection. Those browsers handle this case better.