Safe Use of Wildcard Certificates
Wildcard certificates offer great flexibility to system administrators to minimize management by offering an unconstrained number of sub-domains within one certificate (e.g., *.company.com could represent dev.company.com, marketing.company.com, sales.company.com, etc.).
Wildcard certificates also pose substantial risks. Wildcards certificates can be used with the appearance of legitimacy with either a fictitious or a fraudulent sub-domain name. In addition, a single wildcard certificate and its corresponding private key could be used on multiple servers. In fact, it is the ease of management that makes it a more common, though ill-advised practice.
Ultimately, a wildcard certificate bypasses controls for those subscribers who rely on the certificate approval procedure to control the authorization of new servers and new domains.
Wildcard certificates are subject to the following attack:
- Impersonation Attack: luring a victim to a fraudulent resource in the certified domain through phishing.
Properly managed wildcard SSL certificates can provide increased flexibility for system administrators, but they come with increased risk. Entrust recommends using proper safeguards when deploying Wildcard certificates. For a more detailed analysis, please read our white paper entitled, "The Safe Use of Wildcard & Multi-Server Certificates."