What Is the Difference Between Wildcard and Multi-domain/SAN SSL Certificates?

Scott Rogers Introduction-To

Here at GeoCerts we provide a lot of wildcard and multi-domain certificates to our customers.  Both these certificates allow for a single certificate to work for more than one URL address.  Perhaps not surprisingly, we are frequently asked about the difference between these two certificate types and which to use in which situation.  This post will go over the basics of multi-domain and wildcard SSL certificates.

What is a wildcard certificate?

You can obtain a certificate that contains a wildcard marker (*) in its URL.  This marker indicates that the appropriate portion of the URL can contain any legal string, and it always occurs at the leftmost portion of the URL.  For example, *.mywebsite.com is a valid wildcard URL, while shop.*.com is not.

Wildcards are useful for complex businesses or architectures where many sub-domains are in use.  Furthermore, they are handy in that new sub-domains can be added over the course of the certificate's life cycle without requiring replacement.  The potential downside for wildcards is because they are so generic, in the event of website takeover or malicious insider behavior, the extreme versatility of the wildcard certificate leaves the door open for use of a valid certificate for nefarious purposes.  For this reason, wildcards are not available for Extended Validation (EV) SSL.

What is a multi-domain/SAN certificate?

TLS allows for the inclusion of Subject Alternative Names, or SANs, in certificates.  Each SAN is a distinct URL for which the certificate is valid.  Unlike wildcards, the SANs do not need to indicate URLs that are in any way similar.  Shop.mywebsite.com and www.example.com could be perfectly legitimate SANs coexisting on the same certificate.  Certificates valid for more than one URL are referred to as multi-domain or SAN certificates.

Multi-domain certificates are useful for situations where the same server may be called on to serve data for more than one domain.  They can be handy for various subdomains under the same main domain name, as in the wildcard examples given above, or they can secure completely unconnected domain names.  Multi-domain certificates are generally considered more secure than wildcards because they are restricted to a specific set of domain names that are locked into the certificate at issuance time.

Multi-domain certificates are your best solution for securing a series of disparate domain names, when security needs prohibit wildcard certificates, or when Extended Validation is required.

What is UCC?

UCC stands for Unified Communications Certificate, sometimes also referred to as a UC Certificate.  Unified Communications Certificates are required to secure Microsoft Exchange servers.  Fortunately, standard multi-domain certificates are also UC Certificates and will secure Exchange servers.  If you require a UCC, purchase a multi-domain certificate.