Wildcard Certificates 101

In an age of seemingly never-ending data breaches, it’s now more important than ever to ensure the security of your domain through the use of SSL certificates. But if your organization is large and has numerous sites and subdomain at its disposal, you’re likely familiar with how painful certificate management can become. One way you can lighten the load from both an administrative and expense standpoint is through the use of Wildcard Certificates.

What is a Wildcard Certificate?

A Wildcard Certificate is a single, standalone certificate that utilizes a placeholder character, typically an asterisk (*), in the domain name field. This placeholder gives the certificate the flexibility to be used across multiple subdomains under a single domain, specified at the time of creation of the Certificate Signing Request, or CSR. Your website and all of its subdomains can be granted authentication and HTTPS encryption via the use of a Wildcard Certificate.

Why Are Wildcard Certificates Useful?

Rather than needing a full inventory of unique certificates for each subdomain, a Wildcard Certificate can secure all of them, not only speeding up and simplifying the management process, but also helping to cut costs as well.

For example, let’s say that we want to secure our subdomains under the main novick.tech domain. If we wanted to secure www.novick.tech, mail.novick.tech, and app01.novick.tech, we could go through the process of creating CSRs for each, and applying those individual certificates. But instead of specifying the subdomain when generating the CSR, if we use *.novick.tech, we will get a certificate that can secure every single one.

Wildcards are great regardless of the size of the environment, but are especially beneficial to larger enterprise operations that may need certificates for dozens of subdomains. It can quickly turn into a nightmare trying to track individual certificates for so many subdomains, so a Wildcard Certificate is an easy answer to that particular pain point.

In addition, any new subdomains you open underneath the domain covered by the Wildcard will be covered indefinitely in the future. So for example, when we take out a Wildcard for *.novick.tech, at the time we requested the certificate, we only had www.novick.tech and mail.novick.tech. But later, if we decide to stand up an email server at mail.novick.tech, we can apply the previously-acquired Wildcard Certificate without needing to make any changes to the certificate itself.

Where Can I Get a Wildcard Certificates?

If you search for Wildcard Certificates via your search engine of choice, you’ll find no shortage of sites offering Wildcard Certificates. In fact, your organization may already be using some of these services for other purposes, such as GoDaddy. DigiCert is also a reputable provider for TLS/SSL and PKI needs, and can handle everything from the certificate itself to full-on PKI management solutions.

There are also several reseller websites, sites which have commissioned commercial Certificate Authorities (CAs) to generate them. While there are dozens of resellers, these certificates generally end up coming from one of several trusted sources, such as Comodo, AddTrust, VeriSign, or Entrust (just to name a few).

Wildcard Certificates vs. SAN Certificates

You may have come across other types of certificates when researching ways to secure multiple subdomains, with SAN (Subject Alternative Name) Certificates being a somewhat similar-sounding option to Wildcards. However, while both Wildcards and SANs are both SSL Certificates that can secure your site, the scope and type of coverage they each provide differs, so it’s important to understand the distinctions.

A Wildcard Certificate is an excellent choice for securing the subdomains of a single domain, as previously stated. There’s no limit to the number of subdomains it can secure, and that is true of both Wildcard and SAN Certificates. But where they differ is the domain itself: a Wildcard can only secure a single domain (and an unlimited number of first-level subdomains), while a SAN Certificate can secure multiple domains, anywhere from 5 up to 250 in total.

In other words, if we were simply looking to secure the novick.tech domain and all the subdomains underneath it, a Wildcard would be a great choice for that. But if we wanted a certificate that could handle novick.tech as well as novick.com, novicktech.net, and so on, the most practical option would be the SAN Certificate.

Another difference between Wildcard and SAN Certificates is in the price. If you’re purchasing a certificate from GoDaddy, you’ll find that SAN Certificates generally run around $160 per year, which would cover five domains. But the Wildcard Certificate, which as we’ve learned would cover a single domain and all subdomains, runs around $300 per year. These are both on three year terms, so you’re looking somewhere in the range of $500-900, depending on if you need a SAN or a Wildcard. While the prices themselves will differ from site-to-site, it’s generally the same principle: Wildcards are the more expensive option.

How Do I Get a Wildcard Certificate?

If you decide that a Wildcard Certificate is a good fit for you and your organization, then you’ll be able to purchase one from a previously-mentioned source (such as GoDaddy or DigiCert), or from any number of online providers.

Before you can install the certificate and start securing your domain, however, you’ll need to generate a Certificate Signing Request (CSR) for the provider. This in of itself is a multi-step process, and can be tricky to navigate. For more info on getting your CSR, see this how-to article, and for all your other PKI and Active Directory needs, get in touch with Novick Tech for a consultation today.