Get a free application, infrastructure and malware scan report - Scan Your Website Now

What are Wildcard SSL Certificates and SAN SSL Certs?

Posted DateNovember 25, 2021
Posted Time 4   min Read

Securing multiple domains and sub-domains does not need different SSL certificates anymore. Wildcard SSL Certificates and SAN SSL Certificates are both capable of providing data encryption and security across multiple domains, sub-domains, and more using a single certificate.

In this article, we delve into what Wildcard SSL Certificates and SAN SSL Certificates are, their advantages and drawbacks, the differences between them, and which one to choose for effective security.

Wildcard SSL Certificates

Wildcard SSL Certificates (WC SSL Certificates) secure one primary domain marked with a wildcard character (*) and unlimited sub-domains at the same level of that primary domain. Whether you have 20 sub-domains or 2000 on a single level, you will be able to secure them all with a single WC certificate.

Let’s just take a moment to understand what levels mean with respect to sub-domains.

The primary domain for example website is marked with an asterisk symbol and it is *example.com.

The first-level sub-domains will be something like:

  • example.com
  • example.com
  • example.com
  • example.com

The second-level sub-domains will look something like this:

  • mail.example.com
  • shop.example.com
  • blog.example.com
  • dev.example.com

The third-level sub-domain will be something like primary.login.example.com…so on and so forth.

It is critical to note that a Wildcard SSL will secure multiple sub-domains that are at the same level, not multiple levels. So, if you own a WC SSL for *example.com, you are securing first-level sub-domains. If you add a new sub-domain – music.example.com or news.example.com, they will be automatically added to the certificate and secured.

However, second and third-level sub-domains will not be secured under this Wildcard SSL Certificate. You must purchase another WC SSL Certificate to secure sub-domains under say, *shop.example.com or *mail.example.com.

Entrust SSL Certificates

Advantages

  • Wildcard SSL Certificates are easier to manage as the domain and its unlimited sub-domains are secured under a single certificate.
  • It is a flexible solution as new sub-domains at the same level are automatically added to the certificate and instantly protected, as long as the certificate is within the validity period. The organization does not have to re-issue the certificate to add these new sub-domains.
  • Similarly, sub-domains can be removed, whenever necessary, without having to re-issue the certificate.
  • WC SSL Certs are cost-effective, versatile, and practical solutions to protect multiple sub-domains. You do not have to spend a lot on multiple certificates.
  • The best Wildcard SSL also offers SAN (Subject Alternate Name) capabilities that enable organizations to secure additional domain names.

Drawbacks

  • Wildcard SSL Certificates are available only at Domain Validation and Organization Validation levels of assurance.
  • Extended Validation is not an option. For instance, if an attacker were to create a fraudulent sub-domain, it will automatically get added to the certificate without the need for verification or validation. The attacker may use this for phishing attacks against users.
  • It does not secure sub-domains at multiple levels.
  • If multiple parties are managing different sub-domains, it necessitates the sharing of private keys across these parties. This introduces risks of unauthorized access, data breaches, and other attacks.
  • If one sub-domain is compromised, the chance of others being compromised is high.

SAN SSL Certificates 

SAN SSL Certificates are also known as Multi-domain SSL Certificates and Unified Communication Certificates (UCC). SAN (Subject Alternate Name) SSL secures multiple Fully Qualified Domain Names (FQDNs) and sub-domains under a single SSL Certificate.

The primary domain is called the Common Name (CN) and the additional domains are referred to as SANs. The SANs can be other FQDNs, domains with other top-level domains (TLDs), sub-domains, or other variations.

With a SAN SSL Cert, an organization can protect, for instance,

  • www.example.com
  • example.com
  • www.1example.org
  • www.example2.net
  • 2example.net
  • example.co.uk
  • blog.example.com
  • anything.example1.org
  • dev.example3.com
  • mail.example.com
  • mail.example.net

The owner of the certificate needs to clearly state the CN and all SANs they wish to secure under the multi-domain SSL Cert while making the Certificate Signing Request (CSR). If the organization wishes to add more SANs to the certificate later, the certificate has to be re-issued; these new SANs are not automatically added to the certificate.

Advantages

  • SAN SSL offers all the levels of validations – Domain, Organizational and Extended Validation.
  • Versatile SAN SSL Certificates enable organizations to secure web server hostnames, IP addresses, private hostnames, payment gateways, and firewall devices, among others.
  • Depending upon the Certificate Authority and the plan chosen, you may be able to secure 50 to 250 additional SANs under a single SAN SSL Cert.
  • It saves time and cost for organizations looking to secure multiple domains and sub-domains with a single certificate. Further, it is easier to manage.

Drawbacks

  • If new sub-domains or domains are to be added to the certificate, the certificate is re-issued. This causes risks and downtimes for the website.
  • If a private key is stolen or the certificate expires, it leaves all the domains and sub-domains open to attacks and data breaches.  

Wildcard SSL Vs. SAN SSL Certificate – Which one to choose?

Despite their differences, SAN and Wildcard SSL Certificates offer similar encryption strengths (256 bits) and are compatible across most browsers and devices.

If you want to protect your root domain and its subdomains, it makes sense to go with Wildcard SSL Certificate. On the other hand, if you have multiple domains and you want to extend your protection in that direction, then a SAN Certificate is the right option.

After considering your security requirements, don’t forget to choose the best SSL certificate providers such as Entrust by Indusface for the strong, multi-layered security across your multiple domains and sub-domains.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn.

Ritika Singh

Share Article:

Join 51000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.

Related Posts

Digital Signature Vs. Digital Certificate
Digital Signature Vs. Digital Certificate

Digital signature vs. digital certificate – wondering if they are different? They are quite different despite being used as security.

Read More
what is a code signing certificate
What is a Code Signing Certificate?

What is a code signing certificate exactly? Keep reading to understand what a code signing certificate is, its types, benefits, and more.

Read More
right SSL certificate
How to Pick the Right SSL Certificate for your Subdomain?

What is the right SSL certificate for subdomains? What considerations should you make while buying SSL for subdomains? Find out here.

Read More

AppTrana

Fully Managed SaaS-Based Web Application Security Solution

Get free access to Integrated Application Scanner, Web Application Firewall, DDoS & Bot Mitigation, and CDN for 14 days

Get Started for Free Request a Demo

Gartner

Indusface is the only cloud WAAP (WAF) vendor with 100% customer recommendation for 4 consecutive years.

A Customers’ Choice for 2024, 2023 and 2022 - Gartner® Peer Insights™

The reviews and ratings are in!