A wildcard certificate secures all subdomains of one domain (e.g. *.example.com), while a SAN (Subject Alternative Name) certificate secures a specific list of different names. Both let one certificate cover multiple hostnames instead of managing many separate certificates.
As sites grow into many subdomains or brands, managing a certificate per hostname becomes painful. Wildcard certificates cover every subdomain of a domain; SAN (multi-domain) certificates cover an explicit set of names. Choosing the right one simplifies operations and avoids gaps.
Check your website
See how your site handles wildcard and san certificates: securing multiple names — free, no account needed.
For business owners
The wrong certificate strategy leads to forgotten subdomains serving insecure or expired certificates — each one a trust warning for customers. Wildcard and SAN certificates reduce that risk and administrative overhead, so every part of your web presence stays protected with fewer moving parts.
How it works (technical)
A wildcard certificate lists a name like *.example.com and matches any single-level subdomain (blog.example.com, shop.example.com) but not the apex alone or nested subdomains (a.b.example.com). A SAN certificate lists explicit names in the Subject Alternative Name field — useful for unrelated domains (example.com, example.net, brand.io). SANs are also how a single certificate covers both the apex and www. Wildcards concentrate risk in one private key, so protect it carefully; SANs require re-issuance whenever the list of names changes.
Real-world example
A company ran a dozen product subdomains and issued a separate certificate for each — several eventually expired unnoticed. Switching to a single wildcard certificate for *.example.com meant one renewal covered every subdomain and eliminated the surprise expiries.
Why it matters
Covering every hostname keeps the whole site trusted and avoids per-subdomain expiry gaps. Scanners flag hostnames whose certificate does not match the name being served.
How to fix it
List every hostname you serve, including apex,
wwwand subdomains.Use a wildcard for many subdomains under one domain, or a SAN certificate for distinct domains.
Ensure the served certificate's names match the hostname (no name-mismatch errors).
Protect wildcard private keys carefully, since they cover everything.
Automate renewal so multi-name certificates never lapse.
Best practices
Include both the apex and
wwwas SAN entries so both resolve securely.Prefer a wildcard for large, changing sets of subdomains.
Store wildcard keys securely and rotate them if exposure is suspected.
Common mistakes
Assuming a wildcard covers the apex or nested subdomains (it does not).
Serving a certificate whose names do not match the requested hostname.
Reusing one wildcard key across many unrelated systems, widening blast radius.
Frequently asked questions
Does *.example.com cover example.com?
No. A wildcard covers subdomains only. To secure the apex too, include example.com as an explicit SAN entry on the certificate.
Wildcard or SAN — which should I pick?
Use a wildcard for many subdomains of a single domain; use a SAN/multi-domain certificate when you need to cover several distinct domains.
Put this into practice
See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.
Scan your website free