The difference between a Wildcard SSL certificate and other SSL/TLS certificates is that other certificates, which are issued to a single Fully Qualified Domain Name (FQDN), (e.g., www example.com), can only be used to secure the exact domain to which it has been issued. A Wildcard SSL certificate is issued to a “Common Name” *.example.com, and a Subject Alternative Name (SAN) allowing the certificate to be used for an unlimited number of subdomains across an unlimited number of servers. A single Wildcard SSL certificate secures one domain *.example.com, and unlimited subdomains www.example.com, buy.example.com, dev.example.com, mail.example.com, etc.
Entrust Wildcard SSL Certificates can also secure multiple Wildcard SANs. The SAN ensures that the Wildcard certificate works with or without a subdomain: *.example.com, *.example.net, *.sample.com, .examplesample.com.
The combination of flexibility and value gives system administrators the ability to easily add subdomains without the costs or tasks involved with deploying new certificates. Plus all Entrust Wildcard SSL certificates come with a website security bundle to find malware on your website and protect it from being blacklisted.
The practice of using a single certificate, such as a Wildcard Certificate, to protect multiple servers has become more common because they’re more cost effective and provide an easier way to manage certificates. The flexibility of managing an unlimited number of subdomains to a single certificate is a nice advantage for system administrators who want to simplify SSL/TLS certificate management. However, there is a substantial risk to using Wildcard certificates without employing best practices that mitigate common vulnerabilities.
The fact that a single Wildcard certificate and its corresponding private key could be used on multiple servers, and can also be used with the appearance of legitimacy with either a fictitious or a fraudulent subdomain name leaves them open to vulnerabilities. Using a single Wildcard certificate to protect multiple servers requires exporting the key-pair from one machine and importing it into one or more other machines. This creates a security vulnerability because the private key now exists in multiple locations. Now the value of that one private key is much greater because it protects more resources. This practice ultimately bypasses controls for those subscribers who rely on the certificate approval procedure to monitor the authorization of new servers and new domains.