- This topic is empty.
-
Posts
-
-
If you need TLS for all subdomains of a domain (for example, blog.example.com, app.example.com, staging.example.com), a wildcard certificate (covers *.example.com) can be a convenient, cost-effective way to secure them all. This article explains your options for cheap (and free) wildcard certificates, what to watch for, and practical steps to get one installed and renewed.
Quick summaryBest free option: Let’s Encrypt (wildcard support via DNS-01 challenge, requires DNS automation).
Best low-cost paid options: reputable resellers such as Namecheap, SSLs.com, GoGetSSL, CheapSSLsecurity (resellers/brands issuing Sectigo/RapidSSL certificates).
Enterprise brands (DigiCert, GlobalSign, Entrust) are more expensive but useful for large organizations.
Wildcards only cover one subdomain level (*.example.com) and do not cover the bare domain (example.com) unless you include it explicitly.What a wildcard certificate does (and does not)
Covers any single-level subdomain: *.example.com secures foo.example.com, bar.example.com.
Does not cover deeper levels: *.example.com will not cover a.b.example.com.
Does not automatically include the apex (example.com). You must request both *.example.com and example.com if you want both.
EV (Extended Validation) wildcard certificates are not issued — EV requires explicit organization validation and is incompatible with wildcard issuance per CA/Browser Forum standards.Free option: Let’s Encrypt (recommended if you can automate DNS)
Let’s Encrypt issues free wildcard certificates via the ACME v2 protocol but requires DNS-01 validation.
Pros: Free, trusted, widely supported, easy to automate renewals.
Cons: Requires ability to create DNS TXT records automatically (or you must renew manually every 60–90 days); wildcard certs are short-lived (90 days).
How to use: use certbot with a DNS plugin (Cloudflare, Route53, DigitalOcean, etc.) or other ACME clients (acme.sh). Example with certbot and Cloudflare plugin: certbot certonly –dns-cloudflare –dns-cloudflare-credentials ~/.secrets/cloudflare.ini -d “example.com” -d “*.example.com” –agree-tos –email you@example.com
If you cannot automate DNS changes, Let’s Encrypt wildcard is impractical.Low-cost paid options (good balance of price and convenience)
These companies are resellers or provide certificates from established CAs (Sectigo, RapidSSL, etc.). Prices fluctuate; look for coupons/seasonal deals.
Namecheap — easy management, competitive pricing, good support for beginners.
SSLs.com — frequently among the cheapest for wildcard certificates (resells Sectigo).
GoGetSSL — low-price reseller, often has deep discounts for first year.
CheapSSLsecurity — comparison shopping and reselling; often runs promotions.
RapidSSL/Sectigo via resellers — brands widely sold through resellers; price varies.What to look for:
Validation type: DV wildcard is the cheapest (Domain Validation). OV/EV not available for wildcard (EV not possible).
Warranty amount (usually marketing — not a replacement for trust).
Re-issue policy, support for multiple installs, customer support quality.
Whether the reseller offers easy renewal and management tools.Enterprise/brand-name CAs
DigiCert, GlobalSign, Entrust: trusted enterprise-level CAs, good support and extra features (large warranties, advanced management, enterprise tools), but higher cost.
Choose these if you need enterprise SLAs, certificate management platforms, or specific corporate vendor requirements.Alternatives to wildcard certificates
SAN / Multi-domain certificates: secure multiple specific hostnames in one certificate (can include apex and multiple subdomains across different domains).
Per-subdomain certificates (e.g., Let’s Encrypt per host): manageable with automation and reduces blast radius of key compromise.
Cloud provider or CDN-managed TLS (Cloudflare Universal SSL providers, AWS ACM, Google-managed SSL): often free or included in plans and remove the need to manage certs yourself. Note: Cloudflare’s Universal SSL covers your domain on their edge — different model from importing wildcard certs.How to pick the right option
Can you automate DNS updates? If yes, Let’s Encrypt is free and recommended for most.
Need simple GUI/paid support? Choose a reputable reseller (Namecheap, SSLs.com, CheapSSLsecurity).
Need enterprise features/SLA? Go with DigiCert, GlobalSign, or Entrust.
Want coverage of apex + wildcard? Ensure you request both example.com and *.example.com.
Check key options: support for RSA 2048/3072 or ECDSA P-256, reinstall/reissue policy, and renewal automation.Step-by-step: buying and issuing a paid wildcard certificate
Decide domain(s) to cover: example.com + *.example.com if you need both.
Choose a vendor/reseller and make the purchase.
Generate a CSR on your server (include both names in CSR if required).
Use RSA (2048+) or ECDSA (P-256) depending on support needs.
Complete Domain Validation (usually via email, HTTP file, or DNS TXT). Wildcards usually require DNS validation.
Receive certificate files from the CA — typically cert, intermediate, and root chains.
Install certificate on your server(s) or load into your load balancer/CDN.
Configure automatic renewal if supported by the reseller or set reminders to renew before expiration.Step-by-step: getting a Let’s Encrypt wildcard certificate (DNS automation recommended)
Ensure DNS can be automated (API tokens for providers such as Cloudflare, AWS Route53, DigitalOcean).
Install an ACME client that supports DNS plugins (certbot, acme.sh, dehydrated).
Use the DNS plugin to obtain a cert:
Example (certbot + Cloudflare): certbot certonly –dns-cloudflare –dns-cloudflare-credentials ~/.secrets/cloudflare.ini -d “example.com” -d “*.example.com” –agree-tos –email you@example.com
Install cert on your server or load balancer.
Automate renewal with cron/systemd and ensure DNS credentials are available for the plugin.Security & operational tips
Automate renewals whenever possible. Short lifetime certificates (Let’s Encrypt) make automation essential.
Store private keys securely and rotate them if you suspect compromise.
Prefer ECDSA (P-256) for smaller keys and performance if your stack supports it; otherwise RSA 2048+.
Monitor certificate expiration (use monitoring tools or uptime platforms).
Wildcard certs expand the scope of a key — if a key is compromised, all subdomains are affected. Consider per-service certificates if you want tighter isolation.
Confirm trust chain: validate the certificate chain with public trust stores (browsers, OS) before deploying.Final recommendation
If you can automate DNS changes: use Let’s Encrypt — free, trusted, and practical.
If you prefer a GUI, consolidated billing, or uninterrupted 1-year certificates: buy from a reputable reseller (Namecheap, SSLs.com, GoGetSSL, CheapSSLsecurity).
For enterprise-grade support and management features: consider DigiCert / GlobalSign / Entrust.If you want, I can:
Compare current prices from a few resellers (I can list typical vendors; I can’t fetch live prices unless you provide them).
Provide exact certbot commands for your DNS provider.
Walk through CSR generation and installation for a particular server (Apache, nginx, AWS ELB, etc.).
-
