Wildcard SSL Certificates Explained
A wildcard SSL certificate secures a domain and all of its first-level subdomains with a single certificate. Instead of purchasing and managing separate certificates for each subdomain, a wildcard certificate provides a cost-effective and simplified solution.
How Wildcard Certificates Work
A wildcard certificate uses an asterisk (*) as a placeholder for the subdomain portion of the domain name. For example:
- Certificate for:
*.example.com - Covers:
www.example.com,mail.example.com,shop.example.com,blog.example.com, and any other first-level subdomain.
The wildcard character (*) matches any single level of subdomain.
What Wildcard Certificates Cover
| Covered | Not Covered |
|---|---|
www.example.com | example.com (base domain — though many CAs include it) |
mail.example.com | sub.sub.example.com (multi-level subdomains) |
shop.example.com | otherdomain.com (different domains) |
api.example.com | *.sub.example.com (second-level wildcards) |
anything.example.com |
Note: Most Certificate Authorities include the base domain (
example.com) as a Subject Alternative Name (SAN) when issuing a wildcard certificate for*.example.com. Verify this with your provider.
When to Use a Wildcard Certificate
Good Use Cases
- Websites with multiple subdomains — e.g.,
www,mail,blog,shop,apiall under one domain. - Development environments —
dev.example.com,staging.example.com,test.example.com. - Multi-tenant applications — where each customer gets a subdomain like
customer1.example.com. - Simplifying certificate management — one certificate to track, renew, and install instead of many.
When NOT to Use a Wildcard Certificate
- You only need one or two subdomains — individual certificates may be simpler and cheaper.
- You need EV (Extended Validation) — wildcard certificates are not available with EV validation.
- You need to secure multi-level subdomains —
*.sub.example.comrequires a separate wildcard certificate. - You need to secure different domains — use a Multi-Domain (SAN) certificate instead.
- Security isolation is critical — if one subdomain’s private key is compromised, all subdomains are affected.
Validation Types Available
| Validation Level | Available for Wildcard? |
|---|---|
| Domain Validation (DV) | Yes |
| Organization Validation (OV) | Yes |
| Extended Validation (EV) | No |
How to Order a Wildcard Certificate
Generate a CSR with the Common Name set to
*.yourdomain.com:openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csrWhen prompted for the Common Name, enter:
*.yourdomain.comSubmit the CSR to your SSL certificate provider.
Complete domain validation (email, DNS, or HTTP method).
Install the certificate on your server.
See How to Generate a CSR Using OpenSSL for detailed CSR generation steps.
Installing a Wildcard Certificate
The installation process is the same as a standard SSL certificate. The key difference is that the same certificate and private key can be deployed across multiple servers or virtual hosts that serve different subdomains.
Apache Example
<VirtualHost *:443>
ServerName www.example.com
ServerAlias *.example.com
SSLEngine on
SSLCertificateFile /etc/ssl/wildcard_example_com.crt
SSLCertificateKeyFile /etc/ssl/wildcard_example_com.key
SSLCertificateChainFile /etc/ssl/ca-bundle.crt
</VirtualHost>
Nginx Example
server {
listen 443 ssl;
server_name *.example.com;
ssl_certificate /etc/ssl/wildcard_example_com.crt;
ssl_certificate_key /etc/ssl/wildcard_example_com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
}
Wildcard vs. Multi-Domain (SAN) Certificates
| Feature | Wildcard | Multi-Domain (SAN) |
|---|---|---|
| Covers | One domain + all first-level subdomains | Multiple specific domains |
| Example | *.example.com | example.com, example.net, other.com |
| Adding new subdomains | Automatic — no reissuance needed | Requires certificate reissuance |
| EV available | No | Yes |
| Multi-level subdomains | No | Can list specific ones |
| Best for | Many subdomains on one domain | Multiple separate domains |
Wildcard Certificate with Let’s Encrypt
Let’s Encrypt supports wildcard certificates using DNS-01 validation:
sudo certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d "example.com"
You will be prompted to create a DNS TXT record to prove domain ownership. For automated renewal, use a DNS plugin for your DNS provider:
sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d "*.example.com" -d "example.com"
Security Considerations
- Key compromise risk: If the private key for a wildcard certificate is compromised, an attacker could impersonate any subdomain.
- Use on limited servers: Only deploy the wildcard certificate on servers that need it.
- Consider separate certificates for high-security subdomains (e.g., payment processing).
- Monitor Certificate Transparency logs to detect unauthorized use of your wildcard certificate.