As evidenced by this output:

keywhiz.cli describe secret --name shh.2016-01-26T23:49:27Z.key
Exception in thread "main" java.lang.IllegalArgumentException: Invalid name, must match ^[a-zA-Z_0-9\-.]+$
    at keywhiz.cli.commands.DescribeAction.run(DescribeAction.java:58)
    at keywhiz.cli.CommandExecutor.executeCommand(CommandExecutor.java:141)
    at keywhiz.cli.CliMain.main(CliMain.java:68)

This secret was added via the automation API and otherwise is served and is displayed correctly.

We should remove the check in the cli and enforce (if we wish to) on the server side. Given that the secrets end up being accessed via a file system API, limiting the name to some subset of characters we know work across platforms is probably going to be a good idea.