Wildcard SSL Certificate
Wildcard SSL certificates secure a domain and all its subdomains with a single certificate. Learn how wildcard certs work, their limitations, and when to use them.
A wildcard SSL certificate secures a domain and an unlimited number of its first-level subdomains using a single certificate. The Common Name (CN) is set to *.example.com, where the asterisk matches any single subdomain label.
What a Wildcard Covers
A certificate for *.example.com secures:
www.example.comapi.example.comstaging.example.commail.example.com
It does not cover:
- The apex domain
example.comitself (unless also listed in the SAN) - Second-level subdomains like
app.api.example.com— the wildcard only matches one label deep
How to Identify a Wildcard Certificate
Paste the certificate into the decoder and look at the Subject Alternative Names (SANs) section. A wildcard certificate will list at least one SAN entry starting with *. — for example, DNS: *.example.com.
Wildcard Security Considerations
Because a single private key covers all subdomains, a compromise of the private key on one server (e.g., a development environment) exposes all subdomains. For high-security deployments, per-subdomain certificates are preferable. Let's Encrypt and modern ACME clients make it cheap and easy to issue individual per-domain certificates automatically.
Wildcard vs. Multi-Domain (SAN) Certificates
A wildcard covers unlimited subdomains of one domain, but cannot cover multiple different base domains. A multi-domain (SAN) certificate can cover multiple distinct domains (e.g., example.com, example.org, example.net) but requires each domain to be explicitly listed.
Ready to inspect a certificate?
Use the free decoder to decode any PEM certificate and see all fields including sans, fingerprints, validity dates, and extensions.
Decode a Certificate