Skip to content

47-Day Certificates Are Coming. Are You Ready?

Act Now →

What is a Wildcard Domain Certificate?

what-is-a-wildcard-domain-certificate

A wildcard certificate is a TLS certificate that uses an asterisk in place of a subdomain, for example *.example.com, so a single certificate secures the base domain and all of its first-level subdomains. 

A wildcard certificate secures a domain and every one of its first-level subdomains with a single certificate and private key, so an organization does not need a separate certificate for each subdomain. It can be issued at Domain Validation (DV) or Organization Validation (OV) but never at Extended Validation (EV), and because every covered subdomain shares one private key, a single compromise or expiry can take down every site the certificate protects at once. 

Key Takeaways 

  • A wildcard certificate, such as *.example.com, covers the base domain and all first-level subdomains with one certificate, cutting management overhead. 
  • Wildcard certificates can be issued as DV or OV but not EV under CA/Browser Forum rules, since EV requires validating one specific, named entity and domain. 
  • All covered subdomains share the same private key, so a compromised key or an expired certificate affects every subdomain at once, as Epic Games experienced in a May 2018 outage. 
  • A wildcard covers only one level of subdomain depth: *.example.com does not cover sub.sub.example.com. Deeper structures need a separate wildcard or a multi-domain (SAN) certificate. 
  • Public wildcard certificates follow the same shrinking validity schedule as other TLS certificates: 200 days today, falling to 100 days in 2027 and 47 days by 2029. 

What is a Wildcard Certificate?

A wildcard certificate is a public key certificate that protects a domain and an unlimited number of its first-level subdomains, issued from a trusted public certificate authority. A single *.example.com certificate can secure www.example.com, shop.example.com, mobile.example.com, and any other first-level subdomain, in place of a separate certificate for each one. 

Certificate Management

Prevent certificate outages, streamline IT operations, and achieve agility with our certificate management solution.

How a Wildcard Certificate Works

The wildcard character (*) in the certificate’s Common Name or Subject Alternative Name field represents any single subdomain label at that position. For an organization with www.example.com, pki.example.com, and codesign.example.com, one *.example.com wildcard certificate replaces three separate single-domain certificates, and automatically covers any new first-level subdomain added later at no extra cost. 

Wildcard certificates can be issued as DV, verified in minutes through proof of domain ownership, or as OV, which adds the organization’s verified details to the certificate. They cannot be issued as EV, since EV validation is built around one specific, named organization and domain rather than an open set of subdomains. 

What a Wildcard Certificate Does and Doesn’t Cover

Certificate Covers 
*.example.com example.com and every first-level subdomain: www, shop, mobile, and so on. 
*.sub.example.com sub.example.com and its first-level subdomains only, not example.com itself. 
Not covered by *.example.com Second-level subdomains such as a.b.example.com, and the bare example.com unless it is also listed explicitly. 

Multi-level or multi-domain coverage requires either a separate wildcard for each subdomain level or a multi-domain (SAN) certificate that lists every required name explicitly. 

Wildcard vs Individual vs Multi-Domain (San) Certificates

TypeCoverage Best fit 
Single-domain certificate One fully qualified domain name. A single site with no subdomains to secure. 
Wildcard certificate One domain and all its first-level subdomains. Many subdomains under one base domain, added or changed frequently.
Multi-domain (SAN) certificate A defined list of specific domains and subdomains named in the certificate. A fixed set of unrelated domains or subdomains at different levels.

Benefits of Wildcard Certificates

  • Secures an unlimited number of first-level subdomains with a single certificate. 
  • Simplifies certificate administration: one certificate to renew and deploy instead of many. 
  • Costs less than purchasing and managing a separate certificate for every subdomain. 
  • Covers new subdomains automatically, without waiting on a new certificate to launch a site. 

Risks of Wildcard Certificates

The same trait that makes wildcard certificates convenient, one private key covering many subdomains, is also their biggest risk. 

  • Shared private key. If the key is compromised, an attacker can impersonate any subdomain the certificate covers, not just one. 
  • Single point of failure. If one server hosting the wildcard certificate is compromised, every subdomain sharing that certificate is exposed to the same risk. 
  • Renewal blast radius. When the certificate expires or is revoked, every covered subdomain loses HTTPS at the same time. 
  • Fraudulent issuance. If an attacker tricks a CA into issuing a wildcard certificate for a spoofed organization, they can stand up phishing sites across many subdomains at once. 

In May 2018, Epic Games experienced a widely reported outage when an expired wildcard SSL certificate, deployed across numerous production services on AWS, blocked logins for large numbers of Fortnite and Rocket League players. Recovery took roughly five and a half hours. Because a wildcard certificate is deployed in many places at once, a single missed renewal can cause exactly this kind of wide-reaching outage. 

How Encryption Consulting Helps

CertSecure Manager tracks every deployment location of a wildcard certificate, so a single renewal updates all of them and an expiring wildcard never becomes a surprise outage. It automates discovery, issuance, and renewal across public and private CAs, backed by Encryption Consulting’s ISO/IEC 27001:2022 and SOC 2 certifications. 

Frequently Asked Questions

Can a wildcard certificate be Extended Validation (EV)? 

No. CA/Browser Forum rules do not permit EV issuance for wildcard certificates, because EV requires verifying one specific, named organization and domain rather than an open set of subdomains. 

Does a wildcard certificate cover sub-subdomains? 

No. A *.example.com certificate covers only first-level subdomains such as shop.example.com. It does not cover a.shop.example.com; that requires a separate wildcard at that level or a multi-domain (SAN) certificate. 

What happens if a wildcard certificate’s private key is compromised? 

An attacker who obtains the private key can impersonate any subdomain the certificate covers, not just one. The certificate must be revoked and reissued with a new key pair, and every deployment location must be updated. 

How long is a wildcard certificate valid? 

Public wildcard certificates follow the same CA/Browser Forum schedule as other TLS certificates: a maximum of 200 days as of March 2026, dropping to 100 days in March 2027 and 47 days in March 2029. 

Is a wildcard certificate cheaper than buying multiple certificates? 

Usually, yes, once more than a handful of subdomains are involved. A single wildcard certificate costs more than one basic single-domain certificate, but far less than purchasing and managing a separate certificate for every subdomain individually. 

Deploy and Renew Wildcard Certificates With Confidence

Ready to make sure a wildcard renewal never becomes an outage? See CertSecure Manager in action, or try our free CSR Generator to request your next certificate.Â