StarDomain

Wildcard vs Single Domain SSL

Wildcard vs Single Domain SSL

When purchasing an SSL certificate, one of the key decisions is whether to get a single domain certificate or a wildcard certificate. This guide explains the differences and helps you choose the right option.

Single Domain SSL

A single domain SSL certificate secures one specific domain or subdomain.

What It Covers

  • Secures exactly one fully qualified domain name (FQDN)
  • Example: A certificate for www.example.com covers only www.example.com
  • It does not cover example.com (without www) unless both are included as Subject Alternative Names (SANs)

Tip: Most Certificate Authorities automatically include both example.com and www.example.com in a single domain certificate. Verify this during purchase.

When to Use Single Domain SSL

  • You have one website with one domain
  • You need SSL for a specific subdomain (e.g., mail.example.com)
  • Budget is a primary concern
  • You want DV, OV, or EV validation (all types are available)

Wildcard SSL

A wildcard SSL certificate secures a domain and all its first-level subdomains.

What It Covers

  • Secures the main domain and unlimited first-level subdomains
  • Example: A certificate for *.example.com covers:

- www.example.com

- mail.example.com

- shop.example.com

- blog.example.com

- api.example.com

- Any other *.example.com subdomain

What It Does NOT Cover

  • Multi-level subdomains (e.g., sub.blog.example.com is not covered by *.example.com)
  • Different domain names (e.g., example.net is not covered)
  • The base domain without a subdomain may or may not be included — check with your CA

When to Use Wildcard SSL

  • You run multiple subdomains under one domain
  • You frequently create new subdomains
  • You want to simplify SSL management with a single certificate
  • Cost savings over buying individual certificates for each subdomain

Cost Comparison

ScenarioSingle DomainWildcard
1 domainLower costHigher cost (overkill)
2-3 subdomainsCost of 2-3 certsUsually cheaper
5+ subdomainsCost of 5+ certsSignificantly cheaper
Unlimited subdomainsNot practicalOne fixed price

Tip: If you have 3 or more subdomains, a wildcard certificate is almost always more cost-effective than individual certificates.

Key Differences Summary

FeatureSingle DomainWildcard
CoverageOne FQDNDomain + all first-level subdomains
PriceLower per certHigher but covers unlimited subdomains
ManagementOne cert per domain/subdomainOne cert for everything
Validation typesDV, OV, EVDV, OV (EV wildcards are rare/unavailable)
Security riskLimited — compromise affects one domainBroader — compromise affects all subdomains
Multi-level subdomainsCan secure any specific subdomainOnly first level

Security Considerations

  • Single domain certificates limit the blast radius if a private key is compromised — only that one domain is affected
  • Wildcard certificates mean a compromised key could potentially be used for any subdomain. Store the private key securely and limit access.
  • Consider using separate certificates for high-security subdomains (e.g., payment processing) even if you have a wildcard

Multi-Domain (SAN) Certificates

If you need to secure multiple different domains (not subdomains), consider a Multi-Domain SSL or SAN certificate:

  • Covers multiple distinct domains under one certificate
  • Example: example.com, example.net, anotherdomain.com
  • Available in DV, OV, and EV validation levels

Troubleshooting

  • Wildcard not covering base domain: Some CAs issue wildcards for *.example.com only. Check if example.com (without subdomain) is included as a SAN. If not, request it be added.
  • Need EV wildcard: EV wildcard certificates are generally not available. Use individual EV certificates for specific subdomains instead.
  • Multi-level subdomain not secured: Wildcards only cover one level. For sub.blog.example.com, you need a separate certificate or a *.blog.example.com wildcard.

Related Articles

Need help choosing between wildcard and single domain SSL? Contact {{COMPANY_NAME}} support at {{SUPPORT_EMAIL}} or open a ticket at {{SUPPORT_URL}}.

Need Help?
New TicketTrack TicketKnowledge BaseContact Us