Wildcard SSL Certificates Explained
Learn how wildcard SSL certificates work with *.example.com patterns. Understand their scope, limitations, multi-level subdomain restrictions, and when to use SAN certificates instead.
Detailed Explanation
What Is a Wildcard Certificate?
A wildcard certificate is an SSL/TLS certificate that uses an asterisk (*) in the domain name to cover all single-level subdomains of a domain. A certificate issued for *.example.com is valid for www.example.com, api.example.com, mail.example.com, and any other subdomain at that level.
How Wildcard Matching Works
The wildcard character replaces exactly one label in the domain name:
Certificate SAN: *.example.com
✅ Matches:
www.example.com
api.example.com
staging.example.com
anything.example.com
❌ Does NOT match:
example.com (no subdomain)
sub.www.example.com (two levels deep)
example.org (different domain)
This is a critical limitation: wildcards only work at one level. To cover sub.www.example.com, you would need a separate certificate for *.www.example.com.
Wildcard + Bare Domain
Most CAs issue wildcard certificates with two SANs: the wildcard (*.example.com) and the bare domain (example.com). Always verify both are present:
X509v3 Subject Alternative Name:
DNS:*.example.com, DNS:example.com
If the bare domain SAN is missing, users accessing https://example.com (without www) will see a certificate error.
Wildcard vs SAN Certificates
| Feature | Wildcard | Multi-Domain SAN |
|---|---|---|
| Coverage | All subdomains of one domain | Specific listed domains |
| Multi-level | No | Yes (each listed explicitly) |
| Multiple domains | No | Yes (a.com, b.com, c.com) |
| Certificate size | Small | Grows with SAN count |
| Flexibility | Add subdomains anytime | Must reissue to add domains |
Security Considerations
Broader attack surface — if the private key of a wildcard certificate is compromised, the attacker can impersonate any subdomain. With individual certificates, a compromise affects only one subdomain.
No EV wildcards — Extended Validation (EV) certificates cannot be issued as wildcards. The CA/Browser Forum prohibits this.
Certificate Transparency — wildcard certificates reveal that a domain uses subdomains, but they do not reveal which specific subdomains exist.
Let's Encrypt Wildcards
Let's Encrypt issues free wildcard certificates, but they require DNS-01 challenge validation (you must create a TXT record in DNS). HTTP-01 challenges are not supported for wildcards because the CA needs to verify control over the entire domain, not just a specific subdomain.
certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d "example.com"
Use Case
Use wildcard certificates to secure all subdomains under a single domain with one certificate, reducing management overhead for platforms with many subdomains that share the same server.