Wildcard Certificates¶
Let’s Encrypt supports wildcard certificates (e.g. *.example.com) with their
ACMEv2 infrastructure. A wildcard certificate will work for any hostname inside
a given domain, which helps with handling certificates for multiple domains.
Check with other ACME providers to find out if, and how, they support wildcard
certificates.
Note
Unrelated to ACME, but wildcard certificates in general: A wildcard is only
valid for one level of subdomains. For example, *.example.com will
work for host.example.com but will NOT work for
host.sub.example.com. If hosts are structured in this way, a wildcard
certificate is required for each sub-zone, e.g. *.sub.example.com.
Wildcard validation requires a DNS-based method and works similar to
validating a regular domain. For example, to get a certificate for
*.example.com, the package updates a TXT record in DNS the same as it would
for example.com, which means the DNS record (and potentially key name) would
be for _acme-challenge.example.com.
To obtain a wildcard certificate, follow the same procedures as other DNS validation methods, with the following differences:
The Account Key must be registered with an ACME v2 server (staging for testing, or production)
The Domain SAN list should contain entries for the base domain (e.g.
example.com) and the wildcard version of the same domain (e.g.*.example.com). The settings will be the same for both entries.For DNS-NSupdate / RFC 2136: Set the Key Name to the base domain (
example.com) for both entries.