The three coverage types
- Single-domain — covers one name (typically plus
www). Least coverage, least risk. - Wildcard —
*.example.comcovers all subdomains at one level with a single private key. - SAN / multi-domain — several explicitly named domains in one certificate (Subject Alternative Names).
Convenience vs blast radius
Wildcard is convenient — one certificate for everything under a domain — but groups your entire subdomain surface under a single private key. If it leaks, everything is exposed at once. That is the central trade-off we expand on in wildcard certificate risks.
When to choose which?
- Single-domain: few, isolated services; maximum key isolation.
- SAN: a known, bounded list of domains (e.g.
example.com,example.org,app.example.com). - Wildcard: many uniform, centrally managed subdomains — ideally with automated rotation.
Validation is a separate axis
Coverage and validation level (DV/OV/EV) are independent. Most single, wildcard and SAN certificates are DV. See the full overview in types of certificates.
How CertControl helps
CertControl tracks which domains each certificate covers — so a wildcard's real scope is visible, and you are warned before expiry with the full list of affected services.
Frequently asked questions
What is the difference between a wildcard and a SAN certificate?
A wildcard covers all subdomains at one level (*.example.com). A SAN certificate covers a specific list of named domains.
Are wildcard certificates less secure?
Not inherently, but they group many services under a single private key, so the blast radius of a key compromise is larger. Use them deliberately.
Can one certificate cover several completely different domains?
Yes — that is exactly what a SAN/multi-domain certificate does, e.g. example.com and example.org in one certificate.