Wildcard Certificate
What is Wildcard Certificate?
Wildcard CertificateAn X.509 certificate whose subject name uses an asterisk to cover any single label under a given domain, such as *.example.com.
A wildcard certificate covers an arbitrary number of single-label subdomains of a parent domain. It is convenient for serving many subdomains, multi-tenant applications and dynamic naming with a single certificate and private key. The asterisk applies to one DNS label only — *.example.com matches a.example.com but not a.b.example.com — and never matches the bare apex. Trade-offs include a wider blast radius if the private key is stolen (every subdomain becomes a forgeable target), more complex lifecycle handling, and tighter scrutiny by CAs (often requiring DNS-01 validation). For sensitive subdomains, prefer dedicated certificates with strong key isolation and short lifetimes.
● Examples
- 01
*.example.com used to terminate TLS for blog.example.com, shop.example.com and api.example.com.
- 02
A SaaS platform issuing a single *.tenants.example.com wildcard for all customer subdomains.
● Frequently asked questions
What is Wildcard Certificate?
An X.509 certificate whose subject name uses an asterisk to cover any single label under a given domain, such as *.example.com. It belongs to the Network Security category of cybersecurity.
What does Wildcard Certificate mean?
An X.509 certificate whose subject name uses an asterisk to cover any single label under a given domain, such as *.example.com.
How do you defend against Wildcard Certificate?
Defences for Wildcard Certificate typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Wildcard Certificate?
Common alternative names include: Wildcard TLS certificate.