Wildcard SSL Certificates — Setup and Pitfalls

Learn how wildcard SSL certificates work, when to use them, and common mistakes to avoid.

Diagnose your site now

Problem

You want to secure multiple subdomains with a single SSL certificate but aren’t sure how wildcard certificates work or if they’ll cover your use case.

How Wildcard SSL Works

  • A wildcard certificate for *.example.com secures one level of subdomains.
  • Covered: www.example.com, api.example.com, app.example.com
  • Not covered: example.com (root), staging.api.example.com (two levels)

Top 3 Pitfalls

  1. Assuming root domain is covered — Always check the SAN list. Most CAs include example.com + *.example.com, but some don’t.
  2. Multi-level subdomains*.example.com does NOT match a.b.example.com. You need a separate cert or multi-SAN certificate.
  3. DNS-01 challenge automation — Wildcard certs from Let’s Encrypt require DNS-01 validation. If your DNS provider doesn’t support API-based TXT record updates, auto-renewal will fail.

Diagnosis with DechoNet

  • SSL Check — Verify the certificate’s SAN list to confirm which domains are covered.
  • DNS Lookup — Check if _acme-challenge TXT records exist for Let’s Encrypt validation.

Resolution Checklist

  • Confirm the wildcard cert covers both *.example.com and example.com in the SAN list.
  • For multi-level subdomains, issue a separate certificate or use a multi-SAN cert.
  • Automate DNS-01 challenge with your DNS provider’s API (Cloudflare, Route53, etc.).
  • Set up auto-renewal with certbot or ACME client and test with --dry-run.
  • After installation, verify the full chain with DechoNet SSL Check.

Related Tools

SSL CheckDNS Lookup

Related Guides

Cloudflare SSL Modes Explained — Off, Flexible, Full, Full (Strict)ERR_SSL_PROTOCOL_ERROR Fix GuideNET::ERR_CERT_COMMON_NAME_INVALID Fix

Share this guide

Share on XShare on RedditShare on LinkedIn
[Ad] Guide Detail Inline
← Back to All Guides