Wildcard Certificate

Also known as: Wildcard TLS certificate

An X.509 certificate whose subject name uses an asterisk to cover any single label under a given domain, such as *.example.com.

A wildcard certificate covers an arbitrary number of single-label subdomains of a parent domain. It is convenient for serving many subdomains, multi-tenant applications and dynamic naming with a single certificate and private key. The asterisk applies to one DNS label only — *.example.com matches a.example.com but not a.b.example.com — and never matches the bare apex. Trade-offs include a wider blast radius if the private key is stolen (every subdomain becomes a forgeable target), more complex lifecycle handling, and tighter scrutiny by CAs (often requiring DNS-01 validation). For sensitive subdomains, prefer dedicated certificates with strong key isolation and short lifetimes.

Examples

*.example.com used to terminate TLS for blog.example.com, shop.example.com and api.example.com.
A SaaS platform issuing a single *.tenants.example.com wildcard for all customer subdomains.

Wildcard Certificate

Examples

Related terms

X.509 Certificate

TLS (Transport Layer Security)

HTTPS

Certificate Authority (CA)

Public Key Infrastructure (PKI)

Extended Validation Certificate

Definition

Examples

Related terms

X.509 Certificate

TLS (Transport Layer Security)

HTTPS

Certificate Authority (CA)

Public Key Infrastructure (PKI)

Extended Validation Certificate