What is a Wildcard SSL Certificate?

Website encryption is done through Hypertext Transfer Protocol Secure (HTTPS) combined with an SSL certificate, which contains all the necessary information to establish a secure connection. This certificate is strictly bound to a specific domain address (URL) and can only be used for that purpose. When using a subdomain such as ftp.example.com, they either require a general wildcard or their own individual SSL server certificate.

A Wildcard SSL Certificate protects any number of subdomains

In a branched infrastructure with a large number of subdomains - technically referred to as Third-Level Domains - it is time-consuming and laborious to use a separate SSL server certificate for each of them. That's why wildcard certificates have existed since 2008 for a website, allowing encryption of multiple domains via HTTPS. In the IT industry, a wildcard represents a placeholder - one of the most well-known is the asterisk *, which includes any number of different or identical letters or numbers. Further specification by additional letters is also possible to narrow down a range. The asterisk is by far the most commonly used wildcard and is also used in the SSL certificate. Some valid examples are:

• *.example.com
• f*.example.com
• *.ftp.example.com
• w*w.example.com

Limiting the scope can be useful in some cases for various reasons - for example, to use a different SSL certificate for a specific website, assign different owners to subdomains, or explicitly exclude certain addresses. An asterisk represents one or more letters - so the combination f*.example.com includes domains like ftp.example.com as well as free.example.com.

Limitations of a Wildcard SSL Certificate

It is crucial to correctly use a Wildcard SSL certificate and understand its limitations in order to achieve encryption via HTTPS and avoid inadvertently excluding certain parts. For this reason, the following rules must be strictly adhered to:

• A Wildcard protects only a specific level - neither above nor below it.
• A combination of multiple placeholders such as *.*.example.com is prohibited.
• The SSL certificate uses the same HTTPS encryption for all affected subdomains.
• Combining multiple Wildcards within a single SSL certificate is allowed.
• Customising information such as the owner of individual instances is not possible.

In the examples above, this means that the wildcard *.example.com allows HTTPS on various sublevels like www.example.com, ftp.example.com, and mail.example.com, but not on the website example.com or on lower levels like ftp.www.example.com. These must either be specified additionally or require their own SSL server certificate. Like any SSL certificate, a wildcard must be verified by the issuing certification authority before being issued to its owner. The authentication methods offered by the certification authority, whether through companies, owners, Domain Name System (DNS), or servers, are at their discretion and should be considered in an SSL certificate comparison. Free providers such as Lets Encrypt usually offer only a few automated procedures due to the otherwise high effort involved.

Advantages of a Wildcard and Possible Alternatives

When dealing with a complex website that uses paid certificates, a wildcard certificate can help significantly reduce costs. Additionally, it simplifies the administration of HTTPS and has a positive impact on server performance, as it eliminates some of the computationally intensive cryptography by using a single key. When it comes to encrypting a website, there are few alternatives to HTTPS, which are usually technically complex. On the other hand, using a wildcard can be easily avoided by applying for and using a separate SSL certificate for each subdomain. While this approach does not lead to higher costs with providers like Let's Encrypt, it does complicate management and is impractical for a complex website - for example, one with custom subdomains for different clients.

Photo: typographyimages - pixabay.com