What Is a Wildcard Certificate? | NOC.org

Understanding Wildcard Certificates

A wildcard certificate is a TLS/SSL certificate that secures a domain and all of its subdomains at a single level using a wildcard character (*) in the domain name field. For example, a certificate issued to *.example.com will secure www.example.com, mail.example.com, api.example.com, and any other subdomain at that level — all with a single certificate.

Wildcard certificates simplify certificate management for organizations that operate many subdomains. Instead of provisioning and renewing individual certificates for each subdomain, a single wildcard certificate covers them all.

How Wildcard Syntax Works

The wildcard character * replaces exactly one subdomain label in the certificate's Common Name (CN) or Subject Alternative Name (SAN) field. Important rules to understand:

• *.example.com matches www.example.com, shop.example.com, blog.example.com, and so on.
• It does not match the bare domain example.com itself. Most CAs include both *.example.com and example.com as SANs, but you should verify this before purchasing.
• It does not match multi-level subdomains. For instance, *.example.com will not cover staging.api.example.com. You would need a separate certificate or a wildcard for *.api.example.com.
• The wildcard can only appear as the leftmost label. www.*.example.com is not valid syntax.

Wildcard vs. SAN Certificates

Both wildcard and SAN (Subject Alternative Name) certificates can secure multiple hostnames, but they work differently:

• Wildcard certificates cover unlimited subdomains at one level of a single domain. They are ideal when you frequently add new subdomains and do not want to reissue the certificate each time.
• SAN certificates (also called multi-domain or UCC certificates) list specific hostnames — which can be entirely different domains. A single SAN certificate might cover example.com, example.net, and app.example.org. Each name must be explicitly listed.
• Combined approach: Many CAs allow you to include wildcard entries as SANs, giving you both the flexibility of wildcards and the ability to cover multiple base domains on one certificate.

The choice depends on your infrastructure. If all your services are subdomains of a single domain, a wildcard certificate is simpler. If you manage multiple distinct domains, a SAN certificate is more appropriate.

When to Use a Wildcard Certificate

Wildcard certificates are a good fit in several scenarios:

• Dynamic subdomains: SaaS platforms that provision subdomains for each customer (e.g., customer1.app.com) benefit from a wildcard that automatically covers new subdomains.
• Development and staging environments: Teams that use subdomains like dev.example.com, staging.example.com, and qa.example.com can secure them all without individual certificates.
• Simplified management: Fewer certificates mean fewer renewals, fewer configuration files, and less risk of an expired certificate causing downtime.

Security Considerations

While wildcard certificates are convenient, they introduce specific security tradeoffs:

• Broader blast radius: If the certificate's private key is compromised, every subdomain covered by that wildcard is affected. With individual certificates, a compromise is limited to a single subdomain.
• Key distribution: Because the same certificate is deployed across multiple servers and services, the private key must be copied to each one. This increases the number of places where the key could be exposed.
• No granular revocation: You cannot revoke a wildcard certificate for just one subdomain. Revoking it affects all subdomains, requiring a new certificate to be issued and deployed everywhere.

To mitigate these risks, store private keys securely, use short-lived certificates where possible (e.g., 90-day certificates from Let's Encrypt with automated renewal), and limit the number of systems that have access to the key.

For sites served through a CDN, the CDN edge typically handles TLS termination, and many CDN providers offer automated wildcard certificate provisioning. Combined with proper security headers and HSTS enforcement, a wildcard certificate can be part of a strong, manageable security posture.