Many companies wonder: is a Wildcard certificate the right choice for securing my domains, or am I better off choosing single or multi-domain certificates?
It seems attractive to cover everything with one certificate. But practice shows that there are serious risks associated with Wildcard certificates. At New Yard, we therefore do not recommend Wildcard certificates. In this article you can read why, and which alternatives are better suited to modern IT environments.
What is a Wildcard certificate?
A Wildcard certificate secures your main domain as well as all subdomains at the same level.
Example: *.newyard.co.uk automatically covers mail.newyard.co.uk, portal.newyard.co.uk and shop.newyard.co.uk.
This seems efficient, but there is a downside to simplicity.
Disadvantages of Wildcard certificates
- Everything vulnerable if misused
If a Wildcard certificate is stolen or misused, then immediately all subdomains are at risk. - No separate control
You can’t manage or revoke subdomains separately. This is problematic when different teams or vendors are responsible for parts of your environment. - Impact of shorter lifespan
Certificates are nowadays only valid for one year, and with some providers (such as Let’s Encrypt) only for 90 days.
With a Wildcard, this means that you have to renew all subdomains at the same time. So an error or delay directly affects your entire organization.
Alternatives: single certificates and multi-domain certificates
Loose certificates
With separate certificates, each subdomain gets its own certificate.
- Advantage: risks are limited; if misused, only one domain becomes insecure.
- Disadvantage: more work and cost with a large number of subdomains.
Multi-domain certificates (SAN certificates).
A strong alternative to Wildcards is a multi-domain certificate (also called a SAN certificate). This allows you to include multiple, specific domains and subdomains in a single certificate.
- Benefit: You decide which subdomains are covered, without everything automatically falling under one certificate.
- Flexible for applications: ideal when multiple related products run in one environment.
For example, consider a Citrix environment, where you can combine subdomains such as:- storefront.newyard.co.uk
- wem.newyard.co.uk
- studio-web.newyard.co.uk
This way you need fewer certificates than with separate certificates, but you retain more control and security than with a Wildcard.
Why New Yard does not recommend Wildcard certificates
At New Yard, we see the impact of expired or misused certificates on a daily basis. In our experience, the risks associated with Wildcards are too great, especially as the lifespan gets shorter and shorter. One mistake can cripple an entire organization.
We therefore always recommend choosing a combination of separate certificates for critical applications and multi-domain certificates for related systems, such as a Citrix environment. This way you combine security with ease of management.
Conclusion
Wildcard certificates seem convenient and cost-effective, but carry too many risks.
- Do you have a few, critical domains? Choose single certificates.
- If you have multiple related subdomains, such as in a Citrix environment, choose a multi-domain certificate.
The right choice depends on your environment, number of domains and degree of automation.