Wildcard SSL Certificates with SANs

July 8, 2011 by Bruce Morton     No Comments

Entrust has an updated product offering to include a new flavor of Entrust Wildcard SSL Certificate. The new wildcard SSL certificates support the Subject Alternative Name (SAN) extension to allow better coverage and flexibility in your wildcard investment. Typically, a wildcard certificate has one domain name such as *.example.com. This allows the certificate to be used for all sub-domains ending with example.com such as www.example.com and ww1.example.com.

Wildcard Cert

What the wildcard does not support is the root domain itself — example.com. Entrust solves this issue by adding example.com to the SAN list. As the subscriber, you can choose not to add this domain to the certificate.

In addition, some mobile devices do not support wildcard certificates as they do not recognize that *.example.com could represent www.example.com. In this case, you can add the specific sub-domains that you want supported into the SAN list. Please note that the total number of SANs cannot exceed 11, including your original wildcard domain name.

As a cautionary note, please understand that the use of wildcard certificates means that you may be susceptible greater risks. For instance, if the private key is compromised then all websites protected by the wildcard certificate may also be compromised. A compromised wildcard certificate could also be used to make a fictitious website on the same root domain appear legitimate.

More details on these risks are documented in our white paper entitled, “The Safe Use of Wildcards & Multi-Server Certificates.”

Filed Under:
Tagged With:


Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.

Add to the Conversation