We use SSL certificates for smart proxies to authenticate against Foreman. Usually certificates are created by Puppet CA and the CN is FQDN of the proxy host. But we also have support for custom certificates and we support alternative names. Similarly we should support wildcard certificates, so if CN is "*.example.tst" it should match "proxy.example.tst". On one hand it allows using same certificate for more proxies which means imported reports might not be linked correctly but we already allow that through alternative names.