What is a Wildcard SAN Certificate and How Does It Work?

Protect unlimited subdomains on up to a total of 2,000 domains

The most versatile SSL/TLS certificate available today is the multi-domain wildcard, or what’s known as a wildcard SAN certificate. Not only does it give you the flexibility to encrypt multiple domains — up to a total of 2,000 domains per certificate — but it can also secure any associated first-level sub-domains.

Alternatively, you can use a multi-domain wildcard as a multi-level wildcard — meaning that you can secure sub-domains on multiple levels of the URL. This can be especially useful in large enterprise environments.

Challenges You Can Solve Using a Wildcard SAN Certificate

But aside from the obvious benefits, the wildcard SAN certificate also solves a couple of problems that are specific to standard wildcard certificates. Because the name on your certificate must match the host name a user is connecting with exactly:

• Standard wildcards don’t let users connect to your domain with no sub-domain (non-WWW; example.com); and
• Standard wildcards don’t let users connect with multiple levels of sub-domains.

Additionally, the following servers don’t support wildcard characters (the asterisk).

• Microsoft Office Communications
• Microsoft Lync
• Oracle Wallet Manager
• Windows Mobile 5
• Microsoft Outlook
• Barracuda Spam Firewalls
• LDAPS
• Active Directory
• Microsoft Exchange 2007

How to Get an SSL SAN Wildcard Certificate Issued

Now, unfortunately, the way to order a multi-domain wildcard certificate varies by the certificate authority (CA). Heck, some don’t support the product at all. Others, like Sectigo and DigiCert, require different steps be taken by the customer.

With Comodo CA (powered by Sectigo), ordering and getting a multi-domain wildcard issued is fairly straightforward: You fill out a standard CSR using wildcard SANs where needed and Sectigo issues the certificate following validation.

With DigiCert, on the other hand, you must request a duplicate certificate with the SANs listed specifically 10 at a time. While the limit per duplicate is 10, there is no limit to the number of duplicates you can have issued. Here’s how to do it:

1. On the requisite server, create a new CSR/key pair.
2. Log in to the DigiCert management console.
3. In the My Orders tab, select the certificate you’d like to duplicate.
4. On the Manage Your Wildcard Plus page, select Reissue Actions and then click Get a Duplicate.
5. Enter your CSR in the requisite section.
6. Click Upload a CSR.
7. Navigate to the Select Your Server Software section and select the server where you generated the CSR.
8. In the Specify Subdomains to Secure section, add the SANs you want to use.
9. Click Process Duplicate Certificate.

Now, all that’s left is downloading the certificate and installing it on your server!

A Word of Caution

Much like standard wildcard certificates, multi-domain wildcard SAN certs are only available in two validation levels: domain (DV) and organization (OV). The Certificate Authority/Browser Forum (CA/B Forum) is very strict about EV issuance, and the wildcard character can be used too broadly to be entrusted with EV treatment. So, they prohibit the issuance of EV wildcard certificates altogether.

So, while the multi-domain wildcard is the most versatile certificate in the industry, if you want the green EV bar, you’re going to need to purchase something else.