What is a Wildcard Domain Certificate?

What is a Wildcard Certificate?

A wildcard certificate (like SSL/TLS) is a public key certificate that can protect several subdomains inside a domain and is normally acquired from a trustworthy public Certificate Authority (CA). 

Multiple subdomains for your website can benefit your business but can also be challenging to manage. Multiple SSL/TLS certificates to secure those subdomains increase the complexity, but a wildcard certificate can efficiently resolve this issue. 

A Wildcard certificate can save you time and money compared to managing individual certificates for your subdomains. 

 Wildcards are frequently used in Secure Socket Layers (SSL) certificates to extend SSL encryption to subdomains. A traditional SSL certificate is only valid for a single domain, such as www.domain.com. A *.domain.com wildcard certificate will protect cloud.domain.com, shop.domain.com, mobile.domain.com, and other domains

How Does Wildcard SSL Certificate Work? 

Wildcard certificates are issued to domains with a wildcard character in their hostname, represented by an asterisk (*). This character can represent an infinite amount of subdomains.

Along with your parent domain, a wildcard certificate can secure any number of subdomains.

For better understanding, let’s take an example:

Suppose an organization has three subdomains:

• www.encryptionconsulting.com
• pki.encryptionconsulting.com
• codesign.encryptionconsulting.com

The organization can purchase only one wildcard certificate instead of having three individual SSL certificates for the above subdomains. In addition to the subdomains that the wildcard certificate already covers, it can also cover more subdomains without any extra charges. 

Wildcard certificates can also be issued as Domain Validated (DV) certificates, which can be provided in a few minutes and require proof of domain ownership. You can also get an Organization Validated (OV) certificate, including your company’s information in the certificate details. It requires a verification process to ensure that your website is legitimate. But cannot be issued as an Extended Validation (EV) Certificate. 

Like other digital certificates, wildcard SSL certificates possess a finite validity period and require effective certificate administration. Upon the expiration of a certificate, it becomes essential to initiate its renewal and substitution across all applicable locations. The absence of certificate renewal makes the associated website(s) inaccessible through HTTPS, presenting visitors with an error message. 

When renewing a wildcard SSL certificate, creating a new Certificate Signing Request (CSR) is necessary, followed by its submission to the designated Certificate Authority (CA). It is imperative to explicitly indicate that the renewal pertains to a wildcard certificate, as this detail will influence the CA’s generation of the new certificate.

Learning from Experience: The Fallout of a Wildcard Certificate Outage 

In May 2018, Epic Games, the company responsible for popular video games like Fortnite and Rocket League, encountered a significant service disruption that resulted in millions of players being unable to log in and connect. The underlying cause? An expired wildcard SSL certificate. 

This certificate, implemented across numerous production services within AWS, had far-reaching consequences due to its expiration. The outage led to widespread inconvenience and irritation among gamers, prompting many to express dissatisfaction on social media platforms. 

This occurrence underscores a potential drawback associated with wildcard certificates. Because these certificates secure numerous subdomains using a single certificate, the expiration of one certificate can trigger extensive disruptions across various services. 

For those employing wildcard certificates, it’s crucial to meticulously monitor the expiration date and renew it promptly to pre-empt potential complications. The recovery process for Epic Games took approximately five and a half hours to complete. Remarkably, the company openly shared the particulars of their experience as a teachable moment for others in the industry, and they acted swiftly to rectify the situation. 

Benefits of using Wildcard SSL Certificates

Wildcard SSL certificates can be very beneficial for organizations looking to secure several subdomains while maintaining flexibility. The following are some advantages of using wildcard certificates:

• Secure any number of subdomains

  Without having different SSL certificates for each subdomain, a single wildcard SSL certificate can cover as many subdomains as you want.

• Straightforward Certificate Administration

  Individual SSL certificates must be deployed and managed properly to secure an increasing number of public-facing domains, cloud workloads, and devices. But by using a single wildcard certificate, you can manage unlimited domains that make certificate management simpler.

• Cost-cutting

  A wildcard certificate costs more than an ordinary SSL certificate, but it becomes a cost-effective alternative compared to the overall cost of securing all of your subdomains with their certificate.

• Fast and Flexible Implementation

  A wildcard certificate is a great way to build new sites on new subdomains that your existing certificate can cover. There’s no need to wait for a new SSL certificate that saves your time and speeds up your time to market.

Risk of Using Wildcard Certificates

Wildcard certificates are frequently used to cover all domains with the same registered root, making administration straightforward. However, because the same private key is used across numerous systems, the freedom that comes with using wildcard certificates also comes with severe security risks:

• Web Server Security

  If one server or sub-domain gets hacked, all sub-domains may be hacked as well.

• Access To Private Key

  If the private key of a wildcard certificate gets compromised then the hacker can impersonate any domain for the wildcard certificate.

• Fake Certificates:

  Attackers can fool a certificate authority (CA) into issuing a wildcard certificate for a bogus organization. Once the attacker gets the fictitious company’s wildcard certificates, they can set up subdomains and phishing sites.

• Certificate Management

  All sub-domains will require a new certificate if the wildcard certificate gets revoked.

Conclusion

In essence, while wildcard certificates might find applicability in specific scenarios, it is advisable to steer clear of their use in most cases. If you opt to acquire a wildcard certificate, generating and safeguarding the private key securely becomes paramount. Additionally, maintaining a comprehensive overview of all deployment points for the certificate is vital to guarantee timely renewal and substitution before its expiration

How can Encryption Consulting help?

Encryption Consulting provides a specialized Certificate Lifecycle management solution CertSecure Manager. From discovery and inventory to issuance, deployment, renewal, revocation, and reporting. CertSecure provides an all-encompassing solution. Intelligent report generation, alerting, automation, automatic deployment onto servers, and certificate enrollment add layers of sophistication, making it a versatile and intelligent asset.