A wildcard SSL certificate secures a domain and all its subdomains with a single certificate. Instead of getting separate certificates for www.example.com, blog.example.com, and api.example.com, a single *.example.com wildcard covers them all.
How wildcards work
The wildcard character * matches any single-level subdomain:
| Certificate | Covers | Doesn’t cover |
|---|---|---|
*.example.com | www.example.com, blog.example.com, api.example.com, anything.example.com | example.com (bare domain), sub.blog.example.com (nested) |
*.example.com + example.com | All subdomains + the bare domain | Nested subdomains |
*.sub.example.com | a.sub.example.com, b.sub.example.com | sub.example.com, example.com |
Key limitation: Wildcards only match one level. *.example.com does NOT cover a.b.example.com.
Wildcard vs multi-domain (SAN)
| Wildcard | Multi-domain (SAN) | |
|---|---|---|
| Covers | All subdomains at one level | Specific listed domains |
| Flexibility | Any subdomain works automatically | Must list each domain explicitly |
| New subdomains | Covered instantly | Requires new certificate |
| Cross-domain | No (one base domain) | Yes (example.com + other.com) |
| DNS-01 required | ✅ Yes | No (HTTP-01 or DNS-01) |
Use wildcard when: You have many subdomains or add new ones frequently. Use SAN when: You have a small, fixed set of specific domains/subdomains.
When to use a wildcard certificate
Good use cases:
- You run many subdomains (
app.,api.,docs.,blog.,staging., etc.) and don’t want to manage a separate certificate for each - You frequently add new subdomains — they’re covered automatically without re-issuing
- Development/staging environments where subdomain names change often
When wildcards don’t fit:
- You need to cover different base domains (
example.com+example.org) — use a SAN certificate instead - You need per-subdomain isolation — if one subdomain’s key is compromised, the wildcard cert covers all subdomains
- You can’t modify DNS records — wildcard issuance requires DNS-01, which needs DNS access
Security considerations
A wildcard certificate means one private key protects all subdomains. If the key is compromised, an attacker can impersonate any subdomain — not just one.
Mitigations:
- Restrict private key access — only the server(s) that need it should have the key file
- Use short-lived certificates — Let’s Encrypt’s 90-day validity limits the exposure window
- Consider separate certificates for high-security subdomains (e.g.,
admin.example.commight warrant its own cert)
Getting a free wildcard certificate
Let’s Encrypt supports wildcard certificates via DNS-01 challenge at no cost. Most competitors (ZeroSSL, SSL For Free) restrict wildcards to paid plans.
With GetHTTPS:
- Enter
*.example.com(+example.comif you want the bare domain) - Add the DNS TXT record GetHTTPS provides
- Wait for DNS propagation (GetHTTPS pre-checks this for you)
- Verify and download your certificate files
Full step-by-step wildcard guide →
Installing a wildcard certificate
Same as any certificate — the server doesn’t know it’s a wildcard:
Nginx:
server {
listen 443 ssl http2;
server_name *.example.com example.com;
ssl_certificate /etc/ssl/fullchain.pem;
ssl_certificate_key /etc/ssl/privkey.pem;
}Apache:
<VirtualHost *:443>
ServerName example.com
ServerAlias *.example.com
SSLEngine on
SSLCertificateFile /etc/ssl/cert.pem
SSLCertificateKeyFile /etc/ssl/privkey.pem
SSLCertificateChainFile /etc/ssl/chain.pem
</VirtualHost>Frequently asked questions
Why can’t I use HTTP-01 for wildcards?
HTTP-01 validates a specific hostname by placing a file at http://hostname/.well-known/acme-challenge/.... A wildcard covers infinite subdomains — there’s no single server to place the file on. DNS-01 proves control of the entire domain through a TXT record at the zone level.
Does *.example.com cover example.com?
No. The bare domain is separate. Add both *.example.com and example.com to your certificate request. GetHTTPS and Certbot both support this in a single certificate.
Can I get a free wildcard from ZeroSSL?
No. ZeroSSL restricts wildcard certificates to paid plans ($10/month+). Let’s Encrypt offers wildcards for free.
Can I have multiple wildcard certificates for the same domain?
Yes. There’s no technical limit. You could have *.example.com and *.staging.example.com as separate certificates. Let’s Encrypt’s rate limit is 50 certificates per registered domain per week.
Does a wildcard certificate cover nested subdomains?
No. *.example.com covers www.example.com and api.example.com but NOT dev.api.example.com. For nested subdomains, you need a separate wildcard like *.api.example.com.
How do I test if my wildcard certificate is working for a specific subdomain?
Point the subdomain’s DNS to your server, then test:
echo | openssl s_client -connect subdomain.example.com:443 -servername subdomain.example.com 2>/dev/null | openssl x509 -noout -subject -datesThe certificate should show CN=*.example.com or *.example.com in the SAN field. If you get a connection error, the subdomain’s DNS isn’t pointing to the server hosting the wildcard certificate.
Can I use a wildcard certificate on multiple servers?
Yes. Install the same fullchain.pem and privkey.pem on every server that handles subdomains. The certificate doesn’t know which server it’s on — it just validates the hostname.