Wildcard SSL vs Single Certificate — When to Pick Which
The difference between single and Wildcard SSL certificates, scenarios where each makes sense, and total long-term cost.
As your project grows and you spin up subdomains (shop.example.sa, api.example.sa, admin.example.sa), a decision arrives: a separate SSL per subdomain, or one Wildcard that covers them all? This guide settles it with numbers and scenarios. Start with our SSL & HTTPS basics if you're new to certificates.
What is a single certificate?
Protects one domain (usually with its www. variant implicitly). If you have:
example.sa✅www.example.sa✅shop.example.sa❌
You need a separate cert for shop.
What is a Wildcard certificate?
Covers all one-level subdomains:
example.sa✅www.example.sa✅shop.example.sa✅api.example.sa✅anything.example.sa✅
Important: does not cover nested subdomains. store.shop.example.sa won't work with a *.example.sa cert — you need a separate *.shop.example.sa.
How it works technically
An SSL certificate contains a CN (Common Name) and SAN (Subject Alternative Names):
- Single:
CN = example.sa,SAN = www.example.sa - Wildcard:
CN = *.example.sa, matches any one-level subdomain
When connecting, the browser checks CN/SAN and verifies the requested domain is covered. If not, warning.
When single makes sense
- One simple site (
example.saonly) - 1–2 subdomains, free Let's Encrypt certs are fine
- Early-stage project
- Very tight budget
Cost: free (Let's Encrypt) or SAR 100–300/year for paid.
When Wildcard makes sense
1. Multi-tenant SaaS
If customers access via customer1.yoursaas.sa, customer2.yoursaas.sa, you need Wildcard decisively. Creating a new cert per customer isn't practical.
2. Multiple environments
staging.example.sa, dev.example.sa, qa.example.sa, preview.example.sa — all covered by one cert.
3. Many subdomains (10+)
Managing 30 individual certs is an operational nightmare. Each needs renewal, expiry monitoring, periodic checks. One Wildcard is far simpler.
4. CDN / API integrations
cdn.example.sa, api.example.sa, images.example.sa, static.example.sa — Wildcard handles them in one shot.
5. Apps that dynamically create subdomains
Apps like GitHub Pages or Vercel that create subdomains per project. Wildcard required.
Cost: SAR 200–1,500/year (paid), or free via Let's Encrypt (needs DNS-01 verification).
Free Let's Encrypt Wildcard
Let's Encrypt supports Wildcard for free since 2018, but:
- Requires DNS-01 verification (TXT record on every renewal)
- Renews every 90 days
- Needs automation via certbot or acme.sh scripts + DNS API integration
Best Host customers get this automatically on Pro and Business plans.
Quick comparison
| Criterion | Single | Wildcard |
|---|---|---|
| Domains covered | 1 | Unlimited (one level) |
| Yearly price (paid) | SAR 100–300 | SAR 200–1,500 |
| Price (Let's Encrypt) | Free | Free (with DNS-01) |
| Management | Simple for one, complex for dozens | Simple (one cert) |
| Flexibility | Low | High |
| Security | Identical | Identical |
| Browser support | Universal | Universal |
| Multi-tenant fit | No | Yes |
| Renewal | Per cert | One cert |
What Wildcard doesn't cover
- Entirely different domains (
anothersite.sa) — you need SAN/Multi-Domain - Nested subdomains (
a.b.example.sa) — needs a deeper Wildcard - Non-HTTPS protocols (FTP, SMTP) — usually separate certs
- IP addresses — certs match names, not IPs
Wildcard risks
One cert covering all your subdomains means its private key is "all or nothing":
- If the key leaks, every subdomain is exposed
- If a subdomain is breached, forensic isolation is harder
For strict security cases, a per-domain cert may be better (e.g., billing.example.sa if it holds payment data).
Recommendation by project type
| Project | Recommendation |
|---|---|
| Brochure site | Free single DV |
| Small e-commerce (1–2 subdomains) | Free single DV per |
| SaaS platform | Wildcard |
| Large enterprise (many subdomains) | Wildcard + OV |
| Bank / financial | EV + Wildcard for side subdomains |
| Multi-tenant app | Wildcard mandatory |
| Site with API on subdomain | Wildcard or SAN |
Choosing a CA (Certificate Authority)
For paid Wildcards, top issuers:
| CA | Price | Pros |
|---|---|---|
| Let's Encrypt | Free | Most popular, easy automation |
| Sectigo | SAR 200–500 | High quality, 24/7 support |
| DigiCert | SAR 600–1,500 | Top-tier, trusted by enterprises |
| GeoTrust | SAR 300–700 | Recognized name |
| RapidSSL | SAR 200–400 | Fast issuance |
How to install a Wildcard
Via cPanel
- SSL/TLS → Generate CSR
- Send CSR to issuer
- Verify domain ownership (DNS-01 or email)
- Upload cert + intermediate
Via Nginx
server {
listen 443 ssl;
server_name *.example.sa example.sa;
ssl_certificate /etc/ssl/wildcard.crt;
ssl_certificate_key /etc/ssl/wildcard.key;
}
Via Cloudflare
- Add domain to Cloudflare
- Request Universal SSL (free)
- Automatically covers the domain + all managed subdomains
Tip: monitor expiry dates
One Wildcard, but if it expires = all your subdomains break at once. Set reminders 30, 14, and 7 days out. Better: use Let's Encrypt automation with certbot renew.
Bottom line
Pick single for small projects (free and sufficient). Pick Wildcard once you cross 3–4 subdomains, or if your product creates subdomains dynamically. Our team installs either type and manages auto-renewal. Hosting with us includes Let's Encrypt by default at no extra cost.