Scenario 3.5: Issue Wildcard Certificate

Category: Issue Certificates
Complexity: (High)
Prerequisites: Domain control, Intermediate CA
Estimated Time: 15-20 minutes

Description

This scenario describes issuing a wildcard certificate (*.example.com). Wildcard certificates secure all subdomains of a domain with a single certificate.

Advantages:

One certificate for all subdomains
Easier management
More cost-effective

Disadvantages:

Higher risk if compromised
Does not cover root domain
Only one level

Wildcard Rules

Pattern	Covers	Does NOT cover
`*.example.com`	www.example.com, api.example.com	example.com, sub.api.example.com
`*.api.example.com`	v1.api.example.com	api.example.com

Important: *.example.com does NOT cover example.com (without subdomain)! Always add both as SAN.

Code Example (C#)

using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
 
using var ctx = PqCryptoContext.Initialize();
 
var caCert = ctx.LoadCertificate("intermediate-ca.crt.pem");
var caKey = ctx.LoadPrivateKey("intermediate-ca.key.pem", "CaPassword!");
 
// Key pair for wildcard
using var wildcardKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65);
 
var dn = new DnBuilder()
    .AddCN("*.example.com")
    .AddO("Example GmbH")
    .AddC("DE")
    .Build();
 
// Create CSR
var csr = ctx.CreateCertificateRequest(
    wildcardKey, dn,
    new ExtBuilder()
        // Wildcard + root domain
        .SubjectAlternativeName(new[] {
            "dns:*.example.com",
            "dns:example.com"
        })
        .Build()
);
 
// Issue wildcard certificate
var wildcardCert = ctx.IssueCertificate(
    csr,
    issuerCert: caCert,
    issuerKey: caKey,
    serialNumber: ctx.GenerateSerialNumber(),
    validDays: 365,
    extensions: new ExtBuilder()
        .BasicConstraints(ca: false, critical: true)
        .KeyUsage(KeyUsageFlags.DigitalSignature | KeyUsageFlags.KeyEncipherment)
        .ExtendedKeyUsage(ExtKeyUsage.ServerAuth)
        .SubjectKeyIdentifier(csr.PublicKey)
        .AuthorityKeyIdentifier(caCert)
        .CrlDistributionPoint("http://crl.example.com/intermediate.crl")
        .Build()
);
 
wildcardCert.ToPemFile("wildcard.crt.pem");
wildcardKey.ToEncryptedPemFile("wildcard.key.pem", "SecurePassword!");

Multi-Level Wildcard

For multiple subdomain levels, combine multiple wildcards:

.SubjectAlternativeName(new[] {
    "dns:example.com",
    "dns:*.example.com",          // www, api, app, etc.
    "dns:*.dev.example.com",      // dev1.dev, dev2.dev, etc.
    "dns:*.staging.example.com"   // staging environments
})

Security Notes

Risks of Wildcard Certificates:

Compromise affects ALL subdomains
Private key needed in multiple locations
Revocation affects all services

Best Practices:

Store private key centrally (HSM)
Short validity (max. 1 year)
Separate wildcard certificates for Prod/Dev/Staging
Monitoring for all subdomains

Related Scenarios

Relationship	Scenario	Description
Alternative	3.1 Server Certificate	Single certificate
Alternative	2.3 Multi-SAN CSR	Explicit SANs
Next Step	10.1 TLS Server	Deployment

« <- 3.4 S/MIME Certificate | ^ Certificates Overview | 4. Manage Certificates -> »

scenario, certificate, wildcard, subdomain, tls

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional