Wildcard SSL Certificate Pros and Cons

Wildcard SSL Certificates allow you to secure an unlimited number of sub-domains on a domain name. This is very advantageous in many setups but there can be some pitfalls. Wildcard certificates are becoming cheaper and much more popular. Here we'll cover some of the benefits and drawbacks:

Wildcard Certificate Benefits

Secures Unlimited Sub-Domains. If you have several sub-domains like mail.yourdomain.com, www.yourdomain.com, and secure.yourdomain.com, you would normally have to buy a single SSL certificate for each one. With a wildcard SSL certificate you just buy and use one certificate.

Cheaper. Though they cost more than a single certificate, they can easily be worth it if you need to secure just a few sub-domains. Some certificate providers even provide an unlimited server license so you only buy one wildcard certificate that you can use on as many web servers as necessary. (Use the Certificate Wizard to compare SSL features on these certificates)

Easier to manage. Deploying 30 different individual SSL certificates can be a daunting task, even with a managed PKI interface. And don't forget that you have to do it all over again, when it comes time to renew them. A wildcard certificate makes quick work of many situations.

WildCard Certificate Drawbacks

Security. If you only use one certificate and private key on multiple websites and private servers, it only takes one server to be compromised and all of the others will also be vulnerable. Tim Callan from VeriSign comments:

"If I put an individual certificate on every server in my system that is secured with SSL and swapped those certificates out on an annual basis, then that is the maximum diffusion of the vulnerability. The more you get away from that, the more risk you're undergoing in a PKI scenario. The ultimate example of this is Wildcard."

However, some certificate providers allow you to create as many new wildcard certificates (using the same domain name) as needed for all of your servers, each with a unquie private key. This makes the wildcard certificate just as secure as a single domain name certificate but does make things a little more difficult to manage.

Mobile Device Compatibility. Some popular mobile device operating systems, including Windows Mobile 5, don't recognize the wildcard character (*) and therefore can't use a wildcard certificate. For incompatible mobile devices, you need to either use a single certificate or get a wildcard certificate like DigiCert's Wildcard Plus that is designed to work on incompatible mobile devices by including specific sub-domains in the Subject Alternative Name of the certificate.

Compare Wildcards

Originally posted on Fri Aug 17, 2007