Home/ Glossary/ Wildcard SSL Certificate

Wildcard SSL Certificate (Wildcard Certificate)

Security Glossary - SSL/TLS

Definition: A wildcard certificate secures a domain and all its first-level subdomains using a single certificate. It uses an asterisk (*) in the domain name field, such as *.example.com, which covers any subdomain like www.example.com, app.example.com, and mail.example.com but not the apex domain (example.com) unless explicitly listed.

Why Wildcard Certificate Matters

Wildcard certificates simplify management when you run multiple subdomains. Instead of obtaining and renewing separate certificates for each subdomain, a single wildcard covers them all. This reduces administrative overhead and the risk of individual certificates expiring unnoticed.

However, wildcards carry a security tradeoff. If the wildcard certificate's private key is compromised, every subdomain is affected simultaneously. For this reason, some organizations prefer individual certificates for critical services (like payments or authentication) while using wildcards for less sensitive subdomains. The principle of least privilege suggests limiting the blast radius of a key compromise.

Wildcard certificates only cover one level of subdomain. A certificate for .example.com covers blog.example.com but not blog.staging.example.com. For multi-level subdomains, you would need either a separate wildcard (.staging.example.com) or SAN certificates listing each specific subdomain. Let's Encrypt supports wildcard certificates, but they require DNS-01 challenge validation instead of the simpler HTTP-01 challenge.

How to Check

An SSL checker will show whether a wildcard certificate is in use and which subdomains it covers. Check that the common name or SAN field shows *.yourdomain.com. Verify the certificate covers both the wildcard and the apex domain if you need both.

Check SSL Certificate

Frequently Asked Questions

Does a wildcard certificate cover the root domain?
Not automatically. A certificate for *.example.com covers subdomains but not example.com itself. Most CAs include both *.example.com and example.com as SANs in wildcard certificates, but you should verify this in the certificate details.
Can I get a free wildcard certificate?
Yes. Let's Encrypt issues free wildcard certificates. The only requirement is using DNS-01 validation (proving domain ownership by creating a DNS TXT record) instead of HTTP-01 validation.

Related Terms

SSL/TLS Certificate Subject Alternative Name Certificate Let's Encrypt Certificate Authority Subdomain
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.