tls wildcard certificate

The widespread adoption of SSL/TLS certificates helps to curb traffic from being transmitted over insecure connections. This shift toward data in transit protection plays a significant part in safeguarding our digital privacy. Google flags websites that do not have a valid SSL/TLS certificate as “Not Secure.” If you’re a site visitor and you land on a site that displays such a security alert, the chances are that at least a few folks will heed the warning and not proceed. If you’re a business owner, this could lead to a dip in sales as well as damage to your brand value.

As HTTPS connections became the norm, digital certificate providers identified the varying needs of websites and businesses and came up with targeted solutions to meet those needs. A TLS wildcard certificate is one such solution that secures a website along with an unlimited number of its first-level subdomains. With a cost-effective solution such as a wildcard TLS certificate, you can encrypt your website and associated subdomains, using a single certificate.

What Is a TLS Wildcard Certificate?

A TLS wildcard encrypts a domain and an unlimited number of subdomains at a specific level using a single certificate. It is cost effective and makes certificate management easier since you don’t have to install separate certificates for each domain., and you only need to fill out a single certificate signing request (CSR).

But how do wildcard TLS certificates work? Let’s take a look.

How Does a Wildcard TLS Certificate Work?

Remember, a standard digital certificate will only protect a single domain. For instance, if you have an SSL/TLS certificate for www.site.com, then it won’t secure product.site.com. A wildcard TLS, on the other hand, is a public key certificate that encrypts an unlimited number of subdomains at one level under a larger domain.

You can cover all subdomains (at one level) accompanying your primary domain, with a wildcard TLS on a single certificate. But how does it all work? Let’s understand how all of this works using the following example:

Todd, a website owner, has been told by clients that they find it difficult to locate the information they are looking for on his page. Todd believes that new customers might find his site hard to navigate because it’s a bit cluttered. He decides to segregate and organize the content structurally using the following subdomains:

contact.site.com
products.site.com
blog.site.com

The first-level subdomains can all be secured under the same wildcard TLS cert – *.site.com.

However, Todd also wishes to encrypt a few second-level subdomains such as:

support.member.site.com
dev.member.site.com
login.member.site.com

These subdomains can be secured using *.member.site.com. However, the wildcard he uses to secure his first-level subdomains can’t also secure his second-level subdomains. So he knows that he needs to get a second wildcard TLS cert to cover the second-level subdomains specifically.

Note that while a wildcard TLS certificate is an effective and practical solution for implementing HTTPS across all subdomains, there are few security concerns that we need to keep in mind. The way a wildcard TLS certificate works is that a private key is shared amongst all subdomains across servers. This means that if your domain gets penetrated by hackers, or if the private key of the cert is compromised, unauthorized subdomains can be created and used to run phishing campaigns.

This sort of breach is not only difficult to detect, but it also impacts the reputation of your brand. Because of this, wildcard TLS certificates are available only for two validation levels — domain validation (DV) and organization validation (OV). EV (extended validation) certificates can’t be issued together with wildcard certs.

Next Steps

Once you’ve purchased your wildcard TLS certificate, generate a CSR. In the common name field, enter an asterisk before your domain name (*.site.com). Once you submit the CSR, the certificate authority (CA) will process your application, issue a certificate and send it to you via email. What remains is for you to follow the instructions to install the cert on your web server and to configure it as required. It’s as simple as that! [CTA]