Wildcard Certificates vs Multi-Domain SANs: Pros and Cons

When you need to cover multiple domains or subdomains with SSL, two main strategies exist: a wildcard certificate or a multi-domain SAN certificate. Each has distinct tradeoffs.

Wildcard Certificates

A wildcard certificate uses a * in the Subject Alternative Name field, like *.example.com, to cover any single-level subdomain. One certificate handles www.example.com, api.example.com, app.example.com, and any other subdomain you create in the future.

Advantages:

• One certificate for unlimited subdomains at one level
• No need to reissue when adding new subdomains
• Simpler inventory management

Disadvantages:

• Doesn't cover the bare domain (example.com) or second-level subdomains (a.b.example.com) — you need both *.example.com and example.com as separate SANs
• Compromising the private key exposes all subdomains at once
• Some compliance frameworks (PCI DSS) restrict wildcard use
• EV wildcards are not issued — EV requires explicit domain listing

Multi-Domain SAN Certificates

A multi-domain SAN certificate explicitly lists every domain in its SAN extension. One certificate can cover example.com, www.example.com, otherdomain.com, and api.thirdsite.io — completely unrelated domains.

Advantages:

• Works across different domain names and TLDs
• Supports EV validation per domain
• Limits blast radius — compromising one key only exposes explicitly listed domains

Disadvantages:

• Must reissue the certificate to add or remove domains
• More complex to manage at scale

Checking SANs in the Decoder

Paste any certificate into the SSL Certificate Decoder to see exactly which domains are covered — wildcards and explicit entries alike — in the Subject Alternative Names section.