Basics: Great for 5 sites on the same server, terrible for 5 sites on 5 servers. Great use case would be a loaded Exchange 2007 server, with,,,, and all on the same front-end DMZ server.

Typically, it makes financial sense to consider a wildcard certificate if you have more than FOUR OR FIVE SUBDOMAINS under the same domain which need to be secured. Normally you require a separate IP address for each server you are securing, whereas a wildcard certificate requires only one IP address for all the servers it secures. – You can host both and on the same PC with one public IP address– the cert will be verified, and once unencrypted, the server can use host headers to route the traffic. It presents the same cert regardless of what domain name the client request comes in on, so you’re fine either way.

You can only install a wildcard cert on ONE server per license, adding it to additional servers requires paying a hefty license fee, nearly the same price as the wildcard cert itself. If you had 10 sites on 2 servers, a wildcard cert + extra license would make sense. If you had 10 sites on 10 servers, a wildcard cert would cost you about 5x as much as regular certs. Different Certificate Authorities have different methods of enforcing this, some will verify your wildcard cert based on IP, etc. The short version is that unless a server is hosting 5 distinct subdomains, it is not worth using a wildcard certificate.

If you were in some megaconglomerate where $$$ was of no concern, it could make sense to just keep buying licenses for your wildcard cert instead of going through the motions of buying different certs for each subdomain, and renewing them all at once. Though if you’re THAT big, usually your Verisign account rep will be handling that for you while polishing your shoes and offering you free pastries.

-Chase Christian
Network Engineer
CIO Solutions
Office (805) 692-6700 x 126