Wildcard Certificates¶
Let’s Encrypt offers wildcard certificates (e.g. *.example.com) when using
DNS-based validation methods. A wildcard certificate will work for any hostname
inside a given domain, which helps with handling certificates for multiple
domains. Check with other ACME providers to find out if, and how, they allow
wildcard certificates.
Note
Wildcard certificates have a significant limitation, which is unrelated to ACME: A wildcard certificate is only valid for one level of subdomains.
For example, a wildcard certificate for *.example.com will work for
host.example.com and host-sub.example.com, but it will NOT work
for host.sub.example.com. If hosts are structured in this way, a wildcard
certificate is required for each sub-zone, e.g. *.sub.example.com.
Wildcard validation requires a DNS-based method and works similar to
validating a regular domain. For example, to get a certificate for
*.example.com, the package updates a TXT record in DNS the same as it would
for example.com, which means the DNS record (and potentially key name) would
be for _acme-challenge.example.com.
To obtain a wildcard certificate, follow the same procedures as other DNS validation methods, with the following differences:
The Account Key must be registered with an ACME server which supports issuing wildcard certificates.
The SAN list should contain entries for the base domain (e.g.
example.com) and the wildcard version of the same domain (e.g.*.example.com). The settings will be the same for both entries.For DNS-NSupdate / RFC 2136: Set the Key Name to the base domain (
example.com) for both entries.