SSL Certificates: Multiple Single Domain vs Wildcard?

I'm my company we want to deploy SSL certificates to some websites we own, and our RADIUS server as well (Cisco ACS).

What is the practical difference from acquiring 5-10 single host certificates or a single wildcard certificate for the whole domain (ie: common to all the hosts) ?

All hosts are in the same domain. I'm not sure what certificate to choose.

Thanks,

Solution 1:

I just asked a similar queston. I belive part of the trade off is cost and security. If one cert is compromised thats just one out of 5-10 but you are paying more per cert. If you have one cert it is less but if it gets compromised you are looking at 10 points of failure now.

From another site:

SSL Wildcard Certificates won't work for multiple levels. This means that an SSL Certificate Wildcard for *.mydomain.com won't work on www.mail.mydomain.com

I'd encourage you to read http://www.sslshopper.com/best-ssl-wildcard-certificate.html for a pro/con on Wildcard certs.

Solution 2:

We go with the wildcard and just make sure it's not exportable so people can't use it wherever they please. The plus side is that you only need one and so you only need to generate it in one place as opposed to generating and completing certs for each.

The downside is that you have to replace all of them at the same time when you renew. Which means you'd better know all the places it's being used.

I've also seen some devices not like wildcard certs though I can find any specific examples offhand. They just seem to require the FQDN and can't match the *.domain.com to what they're being delivered. Just something to watch for.

Phil.