How to Get a Free Wildcard SSL Certificate

2026-05-07

wildcardssldns-01lets-encrypttutorial

A wildcard SSL certificate secures a domain and all its subdomains with a single certificate. For example, *.example.com covers www.example.com, blog.example.com, api.example.com, and any other subdomain — without listing each one individually.

With GetHTTPS, you can get a wildcard certificate from Let’s Encrypt for free. Most competitors (ZeroSSL, SSL For Free) charge for wildcard certificates.

Prerequisites

A domain name you want to secure with a wildcard (e.g., example.com)
Access to your domain’s DNS settings — wildcard certificates require DNS-01 validation (HTTP-01 doesn’t work for wildcards)
A modern browser

Why DNS-01 only? HTTP-01 challenge validates a single hostname by placing a file at http://hostname/.well-known/acme-challenge/.... A wildcard covers infinite subdomains, so there’s no single server to place the file on. DNS-01 proves control of the entire domain through a DNS TXT record.

Step 1: Open GetHTTPS

Go to gethttps.com/app/setup. An account key and certificate key will be generated automatically in your browser.

Step 2: Enter your wildcard domain

Enter *.example.com (replace example.com with your domain).

Common configurations:

What you enter	What’s covered
`*.example.com`	All subdomains (www, blog, api, etc.)
`*.example.com` + `example.com`	All subdomains + the bare domain
`*.sub.example.com`	All sub-subdomains of `sub.example.com`

Important: A wildcard certificate for *.example.com does not cover example.com itself (the bare domain). If you want both, add example.com as a separate name — GetHTTPS will handle both in one certificate.

Step 3: Add the DNS TXT record

GetHTTPS will show you a DNS TXT record to create:

Record name: _acme-challenge.example.com
Record value: A long random string (different each time)
Record type: TXT

Add this record in your DNS provider:

Cloudflare

Go to DNS → Records → Add record
Type: TXT
Name: _acme-challenge (Cloudflare auto-appends your domain)
Content: paste the value from GetHTTPS
TTL: Auto
Click Save

AWS Route 53

Go to Hosted zones → select your domain
Click Create record
Record name: _acme-challenge
Record type: TXT
Value: "paste-value-here" (include the quotes)
Click Create records

GoDaddy

Go to DNS Management
Click Add under Records
Type: TXT
Name: _acme-challenge
Value: paste the value from GetHTTPS
TTL: 1 Hour
Click Save

Namecheap

Go to Domain List → Manage → Advanced DNS
Click Add new record
Type: TXT
Host: _acme-challenge
Value: paste the value from GetHTTPS
TTL: Automatic
Click Save all changes

Step 4: Wait for DNS propagation

DNS changes take 1-5 minutes to propagate globally, sometimes longer depending on your provider and TTL settings.

GetHTTPS’s pre-check feature queries public DNS (via Google’s DNS-over-HTTPS) to verify your TXT record is visible before submitting to Let’s Encrypt. Wait until the pre-check passes before clicking Verify.

Step 5: Verify and download

Once the pre-check confirms your DNS record, click Verify. Let’s Encrypt will validate the challenge and issue your wildcard certificate.

Download all four files:

privkey.pem — your private key (keep secret)
cert.pem — your wildcard certificate
chain.pem — intermediate certificate
fullchain.pem — cert + chain (most servers need this)

Step 6: Install the wildcard certificate

The installation is the same as any SSL certificate. Use fullchain.pem and privkey.pem:

Nginx:

server {
    listen 443 ssl http2;
    server_name *.example.com example.com;

    ssl_certificate     /etc/ssl/fullchain.pem;
    ssl_certificate_key /etc/ssl/privkey.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
}

Apache:

<VirtualHost *:443>
    ServerName example.com
    ServerAlias *.example.com

    SSLEngine on
    SSLCertificateFile      /etc/ssl/cert.pem
    SSLCertificateKeyFile   /etc/ssl/privkey.pem
    SSLCertificateChainFile /etc/ssl/chain.pem
</VirtualHost>

Cleanup

After your certificate is issued, you can delete the _acme-challenge TXT record from your DNS. It’s only needed during validation. You’ll create a new one when you renew.

Why GetHTTPS for wildcards?

Most browser-based SSL tools charge for wildcard certificates:

Tool	Free wildcard?	How
GetHTTPS	✅ Yes	DNS-01 via Let’s Encrypt
ZeroSSL	❌ Paid only ($10/mo+)	—
SSL For Free	❌ No	—
Certbot	✅ Yes	DNS-01, needs CLI + root
acme.sh	✅ Yes	DNS-01, needs CLI

GetHTTPS is the only browser-based tool that offers free wildcard certificates. No installation, no CLI, no root access needed — just DNS access.

Common mistakes

Adding `*.example.com` but forgetting `example.com`

A wildcard covers subdomains but not the bare domain. If you only get *.example.com, visitors to https://example.com (without www) will see a certificate error. Always add both.

Not waiting for DNS propagation

DNS changes can take 1-30 minutes depending on your provider and TTL settings. Don’t click Verify too quickly — GetHTTPS’s pre-check will tell you when the record is visible.

Creating a CNAME instead of a TXT record

The challenge record must be TXT type, not CNAME, not A, not AAAA. Some DNS UIs default to a different type — double-check before saving.

Leaving old `_acme-challenge` records

If you have a stale _acme-challenge TXT record from a previous certificate, delete it before adding the new one. Multiple TXT records for the same name can confuse validation.

Frequently asked questions

Does `*.example.com` cover `example.com` (bare domain)?

No. A wildcard certificate for *.example.com covers www.example.com, blog.example.com, etc., but not example.com itself. Add both *.example.com and example.com in GetHTTPS to cover both.

Does it cover sub-subdomains like `a.b.example.com`?

No. *.example.com only covers one level of subdomain. For *.sub.example.com, you’d need a separate wildcard.

Can I get a wildcard certificate for free from ZeroSSL?

No. ZeroSSL restricts wildcard certificates to paid plans. Let’s Encrypt (via GetHTTPS) offers wildcard certificates at no cost.

How often do I need to renew?

Every 90 days, same as any Let’s Encrypt certificate. You’ll need to create a new DNS TXT record for each renewal. With the upcoming 47-day validity limit (by 2029), this will become more frequent.

Is DNS-01 safe? I’m modifying my DNS.

Yes. You’re only adding a TXT record — it doesn’t affect your website’s traffic, email, or any other DNS records. The _acme-challenge subdomain is specifically designed for ACME validation.

Getting Started 2026-05-08

How to Get a Free SSL Certificate (Step-by-Step Guide)

Get a free SSL certificate from Let's Encrypt in 5 minutes — no software to install, no account to create. Complete guide covering 4 methods, both challenge types, installation on 6 platforms, and troubleshooting.

Getting Started 2026-05-08

DNS-01 Challenge: How It Works and How to Complete It

DNS-01 validation proves domain ownership by adding a TXT record to your DNS. Required for wildcard certificates. Covers setup for Cloudflare, Route 53, GoDaddy, Namecheap, and more.

Compare 2026-05-08

Best Free SSL Certificate Providers in 2026 (Compared)

Compare 9 free SSL certificate providers across privacy, limits, wildcard support, and automation. Includes standalone CAs, hosting providers, and CDNs — with a privacy analysis no other comparison covers.

Get a free SSL certificate in your browser

No installation, no account. Your private key never leaves your device.

Get your certificate