Do I have to buy a second wildcard certificate for a subdomain?

#Yes, you will have to buy another certificate*#

The asterisk wildcard character * will only match 1 label in a resolved FQDN.

This behavior reflects RFC 4592 Section 3.3, in its description of DNS label matching and fallback to the asterisk label.

If you only need to secure a single endpoint under the .internal.mycompany.com. namespace, you don't need a wildcard certificate, just buy a regular single-subject certificate.


*) The CA/Browser Forum baseline requirements for the public certificate issuance does permit wildcard names in the SAN extension of a certificate, so technically, a single wildcard certificate could be valid for wildcard matching on multiple subdomains, but I have never seen this type of product advertised off-the-shelf anywhere, and I would assume it to be overtly expensive


According to WildCard SSL Certificate security protocols it allows only protection of first level domain which also includes your main domain such as domainname.com and domain.domainname.com. It allows unlimited sub domains security but they must be first level domains.

If you want to protect your sub domain name which formats in domain.domain.domainname.com which technical known as second level sub domain name then you must have another wildcard SSL certificate for specifically that sub domain name security.


The Wildcard SSL certificate can secure only single level subdomains. If you have wildcard SSL that issued for *.mycompany.com, then it will secure mycompany.com and its all sub domains.

If your requirement is securing second level sub domains, so you should create CSR for *.internal.mycompany.com (with this condition, mycompany.com will get a domain name mismatch warning in the browsers, so you need to purchase a standard SSL certificate for mycompany.com)

It is possible that secure your entire website with a single multi domain certificate. With Multi Domain SSL certificate, you can secure multiple websites, sub domains and multi-level sub domains.

  • mycompany.com
  • mycompany.co.uk
  • internal.mycompany.com
  • *.mycomapany.com
  • server.internal.mycompany.com ..anycompany.anytld

The Multi Domain SSL certificate also known as SAN SSL certificate and counts each condition as an individual SAN name.

You should evaluate that how many sub domains are created under the mycomapny.com and *.internal.mycompany.com which will help to choose the right certificate product.

Here at already explained detail scenario - Wildcard SSL certificate for second-level subdomain