This article may be too technical for most readers to understand. (July 2014) (Learn how and when to remove this template message)
In computer networking, a wildcard certificate is a public key certificate which can be used with multiple subdomains of a domain. The principal use is for securing web sites with HTTPS, but there are also applications in many other fields. Compared with conventional certificates, a wildcard certificate can be cheaper and more convenient than a certificate for each domain.
A single wildcard certificate for *.example.com, will secure all these domains:
Instead of getting separate certificates for sub domains, you can use a single certificate for all main domains and sub domains and save your money.
Because the wildcard only covers one level of subdomains (the asterisk doesn't match full stops), these domains would not be valid for the certificate:
Note possible exceptions by CAs, for example wildcard Plus cert by DigiCert contains an automatic "Plus" property for the naked domain example.com
It is not possible to get a wildcard for an Extended Validation Certificate. A workaround could be to add every virtual host name in the Subject Alternative Name (SAN) extension, the major problem being that the certificate needs to be reissued whenever a new virtual server is added.
Wildcards can be added as domains in multi-domain certificates or Unified Communications Certificates (UCC). In addition, wildcards themselves can have subjectAltName extensions, including other wildcards. For example: The wildcard certificate *.wikipedia.org has *.m.wikimedia.org as a Subject Alternative Name. Thus it secures https://www.wikipedia.org as well as the completely different website name https://meta.m.wikimedia.org.
Examples drawn from RFCs and blogs and behavior of browsers: The wildcard applies only to just one label of the domain name. label.label.label.TLD *.domain.com is OK. It will match www.domain.com but not domain.com and not zzz.www.domain.com The wildcard may appear anywhere inside a label (aka "partial-wildcard") f*.domain.com is OK. It will match frog.domain.com but not frog.super.domain.com baz*.example.net is OK and matches baz1.example.net *baz.example.net is OK and matches foobaz.example.net b*z.example.net is OK and matches buzz.example.net Do not allow a label that consists entirely of just a wildcard unless it is the left-most label sub1.*.domain.com is not allowed. A cert with multiple wildcards in a name is not allowed. *.*.domain.com A cert with * plus a top-level domain is not allowed. *.com Too general and should not be allowed. * International domain names encoded in ascii (A-label) are labels that are ascii-encoded and begin with "xn--". Do not allow wildcards in an international label. xn--caf-dma.com is café.com xn--caf-dma*.com is not allowed w*.xn--caf-dma.com, is allowed
RFC 6125 argues against wildcard certificates on security grounds.
- Hendric, William (17 January 2008). "Wildcard SSL Certificate Explained". SSL Certificate Provider. Retrieved 17 February 2015.
- Hendric, William (17 June 2008). "Wildcard SSL Certificate Features". Comodo SSL. SSL Certificate Provider. Retrieved 17 February 2015.
- "Wildcard Certificate Explained in Simpler Terms". 23 May 2016.
- "RFC 2818 - HTTP Over TLS". Internet Engineering Task Force. May 2000. p. 5. Retrieved 2014-12-15.
[...] *.a.com matches foo.a.com but not bar.foo.a.com.
- "RFC 2595 - Using TLS with IMAP, POP3 and ACAP". Internet Engineering Task Force. June 1999. p. 3. Retrieved 2014-12-15.
For example, *.example.com would match a.example.com, foo.example.com, etc. but would not match example.com.
- Wildcard SSL certificate limitation on QuovadisGlobal.com
- "Guidelines For The Issuance And Management Of Extended Validation Certificates, Version 1.5.2" (PDF). CA/Browser Forum. 2014-10-16. p. 10. Retrieved 2014-12-15.
Wildcard certificates are not allowed for EV Certificates.
- x509v3_config-Subject Alternative Name
- The subjectAltName field
- The SAN option is available for EV SSL Certificates on Symantec.com
- Need to be reissued whenever a new virtual server is added
- Wildcard domains can be used within UCC on SSL.com
- SSLTools Certificate Lookup of Wikipedia.org's wildcard ssl certificate
- "RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)". Internet Engineering Task Force. March 2011. p. 31. Retrieved 2014-12-10.
This document states that the wildcard character '*' SHOULD NOT be included in presented identifiers but MAY be checked by application clients (mainly for the sake of backward compatibility with deployed infrastructure). [...] Several security considerations justify tightening the rules: [...]
- "RFC 2595 - Using TLS with IMAP, POP3 and ACAP". Internet Engineering Task Force. June 1999. p. 3.
- "RFC 2818 - HTTP Over TLS". Internet Engineering Task Force. May 2000. p. 5.
- "RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)". Internet Engineering Task Force. March 2011.