For sake of posterity, some more trawling through the net produced an answer to my own question.
It's not supposed to work that way according to RFC 2818, a wildcard is not supposed to match a .
Mozilla allows it however, there is a bug lodged mentioning it (a years old bug mind you) so the capability may go away sometime.
Opera also allows it. Konq doesn't, so I guess Safari probably won't either.
CaCert has more explanation: http://wiki.cacert.org/wiki/WildcardCertificates
Back to the drawing board for me then :-(