Wildcard SSL certificate
A cert valid for *.example.com — covering any single-label subdomain. Useful for tenant subdomains; not useful for unrelated customer domains.
A wildcard certificate covers *.example.com and matches any single-label subdomain: acme.example.com, shop.example.com, api.example.com. It doesn't cover the apex example.com (you need a separate name on the cert for that) or multi-label subdomains like a.b.example.com (you'd need *.b.example.com for that).
When wildcards work for SaaS
Yes: if your customers are on tenant subdomains of YOUR domain (acme.yourapp.com, shop.yourapp.com). One *.yourapp.com wildcard cert serves all of them.
No: if your customers bring their own root domains (acme.com, shop.com). Wildcards are scoped to a single base domain. Each customer's domain needs its own cert (single-name DV or a SAN cert grouping a few customer domains).
Wildcards via Let's Encrypt
Let's Encrypt supports wildcards, but ONLY via the DNS-01 challenge. This is because HTTP-01 can't prove you control all subdomains, just the one you put the challenge file on. DNS-01 puts the challenge in the zone itself.
If you can't access the domain's DNS programmatically (e.g., customer-owned domains where you don't have API access), wildcards aren't an option. You're back to single-name certs.
Cost comparison
| Cert type | Free CA | Paid CA |
|---|---|---|
| Single-name DV | Free (Let's Encrypt) | $10–$30/yr |
| SAN (up to 100 names) | Free | $50–$300/yr |
| Wildcard | Free | $100–$300/yr |
| EV / OV | N/A | $50–$1000/yr |
For SaaS, the free CA covers everything except very specific enterprise compliance requirements.