Multi-Domain Wildcard SSL certificates are a great way to secure virtually unlimited sub-domains on more than one root domain. With this type of SSL certificate, you can secure both wildcard and non-wildcard domain names together, and perhaps eliminate the need for multiple certificates on your server.
However, there are some limitations to the Multi-Domain Wildcard SSL certificate, no matter what product brand or Certificate Authority you pick.
What Are the Domain Name Requirements for Multi-Domain Wildcard SSL?
Most importantly, a Multi-Domain Wildcard SSL cannot have a wildcard domain as the common name.
While single-domain wildcard SSL certificates require your common name to include a star, e.g. *.domain.com, the Multi-Domain Wildcard actually cannot use this kind of domain name as the common name. Your common name must be a fully-qualified domain name or sub-domain, e.g. domain.com.
The Subject Alternative Names (SANS, or additional domains) on the Multi-Domain Wildcard SSL can be either a fully-qualified domain name or a wildcard domain name. The SANs generally do not need to be included in your Certificate Signing Request (CSR) as you will manually list each name on the order form on your account, separately from the CSR.
Just like non-wildcard Multi-Domain SSL, your certificate requires the manual addition of any additional domain or sub-domain on the list of secured SAN names. The Multi-Domain Wildcard SSL certificate does not secure any domains that are not included as a SAN, except when a wildcard name can secure it.
For example, the SAN *.domain.com will secure all sub-domains on domain.com (www.domain.com, mail.domain.com, shop.domain.com, etc) , so you do not need to specify these sub-domains on your SAN list. But if you want the certificate to secure domain.com too, then you do need to add domain.com as a SAN domain (if it is not the common name).
Ideally, you should plan to generate your Multi-Domain Wildcard SSL certificate so that you'll have optimal domain coverage.
Example of Optimal Multi-Domain Wildcard SSL Domain Coverage
Suppose you need an SSL certificate to secure all of the following domain names:
To ensure all of these domains are covered, we recommend that you generate a CSR for a non-www domain name, in this case either domain.com or website.com. Whichever of these 2 domains you don't use as the common name will be added to the list of SANs later.
Now, to secure the rest of the domains, you will need exactly 3 available SANs on your certificate. The SANs should include: