Wildcard SSL Certificate

Secure all your subdomains with a single certificate.

A wildcard SSL certificate covers a domain and all its first-level subdomains. Instead of getting separate certificates for www.example.com, blog.example.com, and shop.example.com, a single *.example.com certificate secures them all.

Wildcards are particularly useful for architectures with many subdomains or dynamic subdomains created by users. They simplify management and reduce costs for paid certificates.

However, wildcards have important limitations to understand before adopting them. This guide explores the benefits, drawbacks, and best practices for using wildcard certificates.

Wildcard Benefits

Why choose a wildcard certificate:

  • Unlimited coverage: a single certificate covers unlimited subdomains. Ideal for multi-tenant platforms.
  • Simplified management: one certificate to renew instead of dozens. Less risk of forgetting a renewal.
  • Dynamic subdomains: new subdomains are automatically covered without intervention. Perfect for SaaS.
  • Cost savings: for paid certificates, a wildcard is cheaper than multiple individual certificates.

Wildcard Limitations

What a wildcard cannot do:

  • Single level only: *.example.com covers blog.example.com but NOT sub.blog.example.com. Sub-subdomains require a separate wildcard.
  • Not the root domain: *.example.com doesn't cover example.com (without subdomain). You must add it explicitly to the certificate.
  • Security risk: if the private key is compromised, all subdomains are affected. The attack surface is larger.
  • DNS challenge required: Let's Encrypt requires DNS-01 challenge for wildcards. Automation requires DNS API access.

Getting a Wildcard Certificate

Steps to get a wildcard with Let's Encrypt:

  1. Prepare DNS access: you'll need to create TXT records. For automation, configure your registrar's API.
  2. Request the certificate: certbot certonly --manual --preferred-challenges dns -d "*.example.com" -d example.com.
  3. Create the DNS record: Certbot displays the value to put in _acme-challenge.example.com. Wait for propagation.
  4. Automate with DNS plugins: install the Certbot plugin for your registrar (Cloudflare, Route53, etc.) for automatic renewal.

Getting a Wildcard

Commands for different scenarios:

#!/bin/bash
# Manual wildcard (you create DNS yourself)
certbot certonly --manual --preferred-challenges dns \
    -d "*.example.com" -d example.com

# Automated wildcard with Cloudflare
apt install python3-certbot-dns-cloudflare
# Create /etc/letsencrypt/cloudflare.ini with:
# dns_cloudflare_api_token = YOUR_TOKEN

certbot certonly --dns-cloudflare \
    --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
    -d "*.example.com" -d example.com

# Wildcard with Route53 (AWS)
apt install python3-certbot-dns-route53
certbot certonly --dns-route53 -d "*.example.com" -d example.com

# Verify wildcard certificate
openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -noout -text | grep DNS

For automation, use a DNS plugin. Manual mode requires intervention at each renewal.

Wildcard Best Practices

Use wildcards effectively:

  • Automate with DNS plugins: manual mode doesn't work for automatic renewal. Use a Certbot plugin suited to your registrar.
  • Protect the private key: a compromised wildcard exposes all your subdomains. Strictly limit private key access.
  • Include the root domain: don't forget to add example.com in addition to *.example.com to cover the domain without subdomain.
  • Monitor all subdomains: a single certificate doesn't mean single monitoring. Monitor each important subdomain.

Wildcard Checklist

  • DNS API access configured
  • Certbot DNS plugin installed
  • Root domain included (example.com)
  • Automatic renewal tested
  • Private key secured
  • Active monitoring for subdomains

Frequently Asked Questions

Does a wildcard cover sub-subdomains?

No, *.example.com covers sub.example.com but not deep.sub.example.com. For that, you'd need *.sub.example.com.

Can I have multiple wildcards on the same server?

Yes, you can have *.example.com and *.other.com on the same server, or even *.sub.example.com in addition.

Is the Let's Encrypt wildcard free?

Yes, all Let's Encrypt certificates are free, including wildcards.

How do I automate without DNS API?

It's difficult. You could script DNS addition via your registrar's interface, but it's fragile. Prefer a registrar with API.

Is a wildcard slower than a simple certificate?

No, SSL performance is identical. The wildcard only has an additional entry in the Subject Alternative Name field.

Should I use a wildcard for 2-3 subdomains?

For so few, individual certificates are simpler. Wildcards become advantageous from 5-10 subdomains or for dynamic subdomains.

Simplify with Wildcards

Wildcard certificates are perfect for architectures with many subdomains. With DNS automation, renewal is as simple as a standard certificate.

Monitor your wildcard certificates with MoniTao. You'll be alerted before expiration and can react if automatic renewal fails.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing