SSL certificate maximum validity is being reduced to 200 days from March 2026. Read more →

SSL Certificates

Cheap SSL DV SSL Wildcard SSL Multi-Domain (SAN) OV & EV SSL

Specialty Certificates

Code Signing Document Signing Email / S/MIME VMC / BIMI
In effect now Certificate Lifetime

Automation

Overview Auto DNS FairSSL vs Let's Encrypt

Platforms

Windows Setup Linux & Kubernetes Appliances ACME Clients

Tools

SSL Scanner Certificate Decoder CAA Generator

Guides

Windows Server Linux & Open Source All guides

Company

About Us Contact Installation Service
News

Language

Dansk Svenska English

Currency

Login Create Account

Wildcard SSL Certificate

A Wildcard SSL certificate protects your domain and all subdomains under it with one certificate. Instead of buying separate certificates for www, mail, shop and intranet, one Wildcard covers them all.

But wildcards have rules. This page explains exactly what * covers and what to do when you need more.

How wildcard matching works

The asterisk * replaces one arbitrary label, i.e. text without a dot. The asterisk cannot match a dot (.), and it cannot be empty.

*.fairssl.dk

Matches any name that has exactly one label before .fairssl.dk

✓ www.fairssl.dk ✓ mail.fairssl.dk ✓ anything.fairssl.dk
✗ sub.sub.fairssl.dk ✗ fairssl.dk

* The root domain (fairssl.dk) is automatically included by the CA, but technically it is not the asterisk that matches it.

Example: One certificate with multiple wildcards

Imagine your certificate contains these three names:

*.fairssl.dk *.sub.fairssl.dk fairssl.dk

These names are covered

  • fairssl.dk , root domain
  • www.fairssl.dk , matches *.fairssl.dk
  • mail.fairssl.dk , matches *.fairssl.dk
  • shop.fairssl.dk , matches *.fairssl.dk
  • api.sub.fairssl.dk , matches *.sub.fairssl.dk
  • staging.sub.fairssl.dk , matches *.sub.fairssl.dk

These names are NOT covered

  • deep.api.sub.fairssl.dk , 2 levels below sub
  • sub.fairssl.dk , *.fairssl.dk matches "sub", but sub.fairssl.dk is not the *.sub.fairssl.dk root
  • other.example.com , entirely different domain

Have names that don't match a wildcard?

You can always add individual domain names as extra SAN fields in the certificate. If you also need sub.fairssl.dk or legacy.example.com, simply add those names individually. Most wildcard certificates support multi-domain (SAN).

The rules in brief

*

The asterisk = one label

* matches one arbitrary label without a dot. www, mail, api123, all are valid.

.

The dot = boundary

The asterisk cannot match a dot. That is why *.a.dk does not cover x.y.a.dk, that is two levels.

+

Add more names

Missing a name? Add it individually as a SAN. You can mix wildcards and specific names in one certificate.

DV Wildcard vs. OV Wildcard

DV Wildcard OV Wildcard
Price From €161/year From €402/year
Validation Domain only Organisation identity
Issuance ~10-30 min 1-3 days
Organisation name
Best for Blogs, SaaS, dev Businesses, e-commerce

Validation: DNS is required

Wildcard certificates require DNS-01 validation: you need to add a TXT record to your domain's DNS. HTTP-01 validation is not supported for wildcards.

With FairSSL's AutoDNS you set a permanent CNAME record once, and we handle DNS validation automatically at every renewal, including via ACME.

Read about ACME automation with AutoDNS →

Wildcard certificates

DV Wildcard

Thawte

Thawte SSL123 Wildcard

DV

DV wildcard from DigiCert. Can also add individual SAN names.

from €228 €147 /year See details →
Sectigo

Sectigo PositiveSSL WC

DV

Cheapest wildcard DV certificate.

from €147 €134 /year See details →

OV Wildcard

DigiCert

DigiCert Basic OV Wildcard

OV

OV wildcard from DigiCert. Organisation name in certificate.

from €723 /year See details →
GlobalSign

GlobalSign OV SAN Wildcard

OV

GlobalSign OV wildcard with SAN support.

from €717 /year See details →
GeoTrust

GeoTrust True BusinessID Wildcard

OV

GeoTrust OV wildcard. Strong trust at low price.

from €401 /year See details →
See all products with prices →

Frequently asked questions about Wildcard SSL

Find answers to the most common questions about SSL certificates and FairSSL.

Yes. All CAs automatically include the root domain (e.g. fairssl.dk) when you order *.fairssl.dk. You do not need to add it separately.
Yes. Wildcard certificates have unlimited server installations. Use it on your web server, mail server, load balancer, etc. simultaneously.
No. Wildcards only cover one level. For sub.sub.fairssl.dk you need to either add the name as an individual SAN domain or use a separate wildcard *.sub.fairssl.dk.
Yes. Multi-domain certificates can contain wildcards and specific names in combination. For example *.fairssl.dk + *.app.fairssl.dk + legacy.example.com in one certificate.
SSL certificate lifetimes are being reduced in stages: 200 days from 15 March 2026, 100 days from 15 March 2027, and 47 days from 15 March 2029. Wildcard certificates are affected equally. We recommend setting up ACME automation with a DNS plugin so renewal happens automatically.
Yes. With 3 or more subdomains, a Wildcard is almost always cheaper than separate certificates. You can add new subdomains at any time without ordering a new certificate.

Secure all your subdomains with one certificate

Create a free account and issue your first certificate in under 10 minutes.

Create free account Compare certificates