A Wildcard SSL certificate is a public key certificate used to secure a base domain and multiple subdomains. It utilizes a wildcard character (an asterisk) in the domain name field, typically formatted as *.domain.com. This allows a single certificate to provide encryption for any number of first-level subdomains without requiring individual certificates for each host.
The validation process relies on matching the requested hostname against the wildcard pattern. When a user accesses api.example.com, the server presents a certificate for *.example.com, which the browser accepts as valid. However, the wildcard only covers one level; a certificate for *.example.com will not secure internal.dev.example.com.
Implementation and Constraints
- Management Efficiency: Using one certificate simplifies the deployment and renewal process across complex infrastructures.
- Infrastructure: It reduces the need for multiple unique IP addresses when using older server software that does not support SNI (Server Name Indication).
- Risk Profile: Since the same private key is often shared across multiple servers, the blast radius of a key compromise is significantly larger than with single-domain certificates.
Wildcard certificates are available as Domain Validated (DV) and Organization Validated (OV) options. Industry standards prohibit the issuance of Extended Validation (EV) Wildcard certificates to prevent potential phishing risks associated with broad domain coverage.