Wildcard vs. SAN Certificates: Which Is Right for You?
When you need to secure more than just a single domain, standard SSL certificates won't cut it. You'll need either a Wildcard certificate or a Multi-Domain (SAN) certificate. Both allow you to secure multiple hostnames with a single certificate, but they do so in different ways and are suited for different scenarios. Choosing the right one can simplify management and save costs.
What is a Wildcard Certificate?
A Wildcard SSL certificate is designed to secure a single domain and an unlimited number of its first-level subdomains. It uses an asterisk (*) in the Common Name (CN) field to represent any possible subdomain.
CN = *.yourdomain.com
A single Wildcard certificate for `*.yourdomain.com` will secure:
- www.yourdomain.com
- blog.yourdomain.com
- shop.yourdomain.com
- api.yourdomain.com
- And any other subdomain at the same level.
Note: It typically does not secure the bare domain (`yourdomain.com`) by default, though most CAs automatically add it as a SAN. It also does not secure second-level subdomains (e.g., `test.api.yourdomain.com`).
What is a Multi-Domain (SAN) Certificate?
A Multi-Domain certificate, also known as a Subject Alternative Name (SAN) or Unified Communications Certificate (UCC), allows you to secure multiple, completely different domain names with a single certificate. The primary domain is listed in the Common Name (CN), and all additional domains are listed in the Subject Alternative Name (SAN) extension.
SANs: [domain1.com, domain2.net, sub.domain1.com]
A single SAN certificate can secure a mix of names:
- yourdomain.com (as CN)
- www.yourdomain.com
- another-domain.org
- shop.third-domain.co.uk
- autodiscover.your-exchange-server.local
You can even include Wildcards as one of the SANs (e.g., `*.yourdomain.com`), creating a powerful Multi-Domain Wildcard certificate.
Comparison: Wildcard vs. SAN
| Feature | Wildcard Certificate | SAN Certificate |
|---|---|---|
| Primary Use Case | Securing unlimited subdomains of a single domain. | Securing multiple different domain names. |
| Flexibility | Low. Limited to one domain and its direct subdomains. | High. Can mix and match any domain, subdomain, and IP address. |
| Scalability | Excellent for future subdomains. Add a new subdomain and it's automatically secured. | Requires reissuance. Adding a new domain means reissuing the certificate with the new name added to the SAN list. |
| Cost | Often cheaper if you have many subdomains on a single domain. | Priced per SAN slot. Can be more cost-effective than buying individual certificates for different domains. |
| Validation Levels | Available as Domain Validated (DV) and Organization Validated (OV). Not available as Extended Validation (EV). | Available for all validation levels: DV, OV, and EV. |
| Example | Secures `api.certnotify.com`, `blog.certnotify.com`, etc. | Secures `certnotify.com`, `certnotify.org`, and `mysite.co.uk`. |
When to Choose Which Certificate
Use a Wildcard Certificate if:
- You need to secure multiple subdomains for a single base domain.
- You plan to add more subdomains in the future and want them to be secured automatically without reissuing the certificate.
- Your security policy allows for a single private key to be shared across multiple servers (e.g., `api.`, `www.`, `app.`).
- You only need DV or OV level validation.
Use a SAN Certificate if:
- You need to secure several completely different domain names.
- You need to secure a mix of base domains and subdomains.
- You need an EV (Extended Validation) certificate for multiple domains.
- You are securing a Microsoft Exchange or Office Communications Server environment, which often requires specific hostnames.
- You want to explicitly list every hostname for tighter security control.
Simplify Your Certificate Management
Whether you use Wildcard, SAN, or a mix of both, managing expiry dates can be a challenge. CertNotify monitors all your certificates, regardless of type or issuer, and alerts you before they expire.
Start Monitoring for Free →