The Certificate Authority looks at the domain string starting from the root, and NSS looks at it like a normal string.
The real problem is not just that they both stop at the null character, but that they both preserve the original input instead of only passing along the part before the first null.
The real problem is not just that they both stop at the null character, but that they both preserve the original input instead of only passing along the part before the first null.