Businesses are all about using minimum resources to maximize their investment returns. As such, one of the common questions that many enterprises ask when they are considering investing or renewing their security certificates, is:
“Can I use just one TLS/SSL Certificate to secure multiple domains?”
The answer is, obviously, yes—you can buy one wildcard SSL certificate to secure unlimited subdomains. But while it’s certainly possible to use a single machine identity to secure multiple domains, it isn’t always safe. Relying on one wildcard certificate to manage several subdomains comes with a variety of security challenges.
In this post, I’ll explain the opportunities and challenges of using a single TLS/SSL certificate to secure multiple domains.
What is a wildcard certificate?
To begin, a wildcard certificate is a public key certificate (like SSL/TLS) that can be used to secure all first-level subdomains of a single domain name. In other words, instead of purchasing a distinct certificate for each of your subdomains, you could use a single wildcard certificate to secure all these subdomains.
On the surface, wildcard certificates appear to be a great way to quickly and easily deploy HTTPS quickly and easily across subdomains. You buy one certificate and you’re good to go for unlimited subdomains. Indeed, wildcard certificates are cheaper and easier to extend. But they are not necessarily easier to manage. And when things go wrong the initial convenience may evaporate quickly. For example, if you ever need to replace your domain wildcard with a more secure EV certificate, you could face a mess of subdomains to find and fix. But the most pressing reason to avoid wildcards is that they are simply less secure and can open the door to phishing attacks.
But perhaps the most pressing reason to avoid wildcards is that without proper security, control, and monitoring, wildcard certificates can be misused by cybercriminals to exploit the trust organizations have in them. In that sense, wildcard certificates are simply less secure and can open the door to phishing attacks. Thus, wildcard certificates can create significant security risks since the same private key is used across multiple systems, thereby increasing the risk of compromise across your organization.
The perks of using wildcard certificates: A single certificate for multiple domains
The "low-hanging fruit" of using a single certificate to secure multiple domains is that it appears easier to manage, more affordable, and helpful for your website on the SEO (Search Engine Optimization) front.
It may seem easier to manage a wildcard certificate because you only have to worry about issuing and renewing one certificate for all your subdomains. (But we’ll talk more about the reality of wildcard certificate management later). If you are a bootstrapped company on a tight budget, you can secure 15 different subdomains with just one certificate.
The above-mentioned benefit also helps you save money. Since there is only one certificate to issue, manage, and renew—your overhead costs are significantly low in comparison to buying and managing multiple single domain certificates.
For most companies, buying one certificate for all their subdomains also comes down to the speed of deployment. For instance, most CAs issue a wildcard TLS/SSL certificate within a few hours from your purchase. Once you have the certificate, it doesn’t take more than a few minutes for you to install it to all your domains. Compare that with the process of buying extended validation (EV) certificates, which easily takes a few days because most CAs have a long and complicated verification process behind issuing EV certificates.
Another benefit is that whether you are using one or multiple TLS/SSL certificates, HTTPS will increase the chances of your website ranking on top of search engine pages. It’s old news but one that you must be aware of— Google counts SSL certificates as a lightweight ranking signal to encourage all businesses to encrypt their domains.
From a business perspective, this is a critical step towards maintaining your brand reputation. Not having an SSL certificate means search engines will show a warning message to the visitors when they enter your website from the search results page. It’s the quickest way to create a bad customer experience and lose customers’ trust in your brand.
Using just one security certificate across all subdomains not only saves you a ton of money but, also secures your domains and builds trust in your brand.
Why Do You Need a Control Plane for Machine Identities?
So why is it risky to use a wildcard certificate?
To fully comprehend why they are less secure than you'd think, you must first understand a bit about the nature of wildcard certificates. A wildcard certificate is a public key certificate used by all subdomains within a larger domain. Using a wildcard certificate on a publicly facing web server, you can quickly secure unlimited subdomains that are all encrypted by the same certificate. Unfortunately, so can cybercriminals.
Using a wildcard certificate is like locking your house's front door while leaving the other doors open. The rooms inside your house are secure, but only until someone breaches the main door—then every room is vulnerable. Once they have access to your rooms/domains, cybercriminals can easily launch phishing attacks because they have gained the insider privilege to create new subdomains from within your server.
Here are some of the ways that cybercriminals can misuse wildcard certificates:
- Compromised web servers. If you are using a wildcard certificate on public-facing web servers, it may increase the risk of cybercriminals using that web server to host malicious sites for phishing campaigns.
- Stolen private keys. If cybercriminals gain access to a wildcard certificate’s private key, they may be able to impersonate any domain protected by that wildcard certificate.
- Fake certificates. If cybercriminals trick a CA into issuing a wildcard certificate for a fictitious company, they can then use those wildcard certificates to create subdomains and establish phishing sites.
Wildcard certificates may help you secure your public domains at an encryption level, but the risks involved can cut deeper.
For example, if you are using a single wildcard cert to secure several domains, cybercriminals can use that to their advantage. A wildcard certificate is a single-point encryption parameter; if it fails, your entire security structure falls apart. Compromising your main encryption gate gives bad actors access to the private keys all your subdomains shared, which they can then use to break into those subdomains.
Here’s a an example:
Let’s say a cybercriminal is able to bypass the wildcard certificate that www.amazon.com was using to secure its host domain and other subdomains.
Now they can create a number of spoofed URLs such as:
- www.amazan.com/sign-up
- www.amazon.com.login-user.info
- www.amazon.account.getbill-service.com/signin/
At a glance, all of these URLs look like legitimate Amazon sites. But if you look closely, they are fake clones of the Amazon URL.
Many cybercriminals go to the extent of designing websites that mimic popular brands to trick our eyes and brains into sharing personal information, which they can misuse for their own gain. Here’s an example:
Cybercriminals are also getting better at either stealing encryption keys from Certificate Authorities (CAs) such as Symantec, DigiCert, or GoDaddy or buying them from the Dark web marketplace.
Simply put, you can’t rely too much on wildcards for encrypting your domains as they can open the backdoors for cybercriminals to launch phishing attacks.
Wildcard certificates can also cause outages
Managing wildcard certificates becomes especially challenging when a single certificate is being used across many websites or critical business infrastructure. I can’t tell you how many stories I’ve heard about machine identity professionals renewing a wildcard certificate and replacing it only on the systems they can remember. Invariably, there is always a system that didn’t make the list, and when the original wildcard certificate expires the system that wasn't updated goes down.
As Walter Goulet, product manager for Venafi, mentioned in a previous blog, “when a wildcard certificate is deployed widely, there is an inability to schedule expiration rates around high traffic usage periods of business-critical infrastructure. As a result, when that wildcard certificate nears expiration, you need to coordinate renewal and installation on all systems that are using that certificate at the same time, or at least start the renewal and replacement process well before the certificate expires which reduces the effective lifetime of the wildcard certificate.”
So much for the idea of easier management! It seems convenient at first, but is not-so-great when the time comes to untangle the web at renewal.
What makes wildcard compromises so serious?
If cybercriminals infiltrate your domain, they can gain privileges that allow them to create unlimited domains—all encrypted by your wildcard certificate. Even worse, these subdomains will appear to be valid because they are authenticated by your wildcard certificate. These illegitimate subdomains allow cybercriminals to host malicious websites that they can then use in phishing campaigns.
How does this work? Any subdomain created for the domain on a web server that uses a wildcard certificate will use the same certificate. For example, a webserver with a wildcard certificate is hosting the domain https://example.com. Anyone with access to the webserver can set up a subdomain, https://phishing.example.com, on the webserver using the wildcard certificate.
Visitors to the phishing site are not likely to realize that they are on the phishing site because their browsers establish an HTTPS connection using the legitimate wildcard certificate. All these visitors often see is the green highlighted part of the URL which signals a valid site. Most visitors are not likely to scroll through the entire URL to discover the part of the URL which would arouse suspicion about its validity.
What do you need to know before using a wildcard certificate?
Wildcard certificates do offer certain benefits, but you should make sure that you are using them consciously and strategically. It helps to be very specific about what you plan to accomplish by using them. As outlined in a previous blog, here are the factors you should consider before you make your choice:
- Do you understand the security risks?
Do you have a plan for how to limit your use of wildcard certificates to a specific purpose? Do you have controls in place to prevent wildcard certificates from being used as a stop-gap for emergency projects? Limiting your use of wildcard certificates will help you better control their security. - Are you just trying to save time?
Are you looking at wildcard certificates because you are finding it too difficult to install or too time consuming to get certificates? If so, that may be a symptom that you’re not using the right solution to manage your machine identities. With proper levels of visibility, intelligence and automation, you can avoid wildcard certificates altogether and still end up with a more secure implementation that is just as easy to deploy and much easier to manage. - Are you trying to be more efficient?
Do you have a large number of sites hosted on a small amount of external infrastructure? If so, you should have excellent controls in place to make sure the wildcard certificate is not copied and distributed to other systems. - Are you only trying to save money?
If so, you need to weigh the security risks against the cost savings. You may save money on the initial implementation but spend even more later when an unknown wildcard certificate expires and causes an outage. Plus, it’s likely to take dozens of staff hours to untangle a complex web of wildcard certificates that has been allowed to grow organically.
The final verdict
Frankly speaking, the cons of using one security certificate to secure multiple domains largely outweigh any superficial benefit
In today’s fast-changing business landscape, data is the most valued currency for every business. A single SSL certificate doesn’t give you the assurance of tightly bolting your security gates against encryption misconfigurations and phishing attacks.
No one wants their organization’s name associated with a phishing attack. It tarnishes your reputation as well as the reliability of your brand. So, you need to make it as hard as possible for cybercriminals to infiltrate your domains and manipulate your encryption. Yes, there is an increased burden issuing and maintaining a server or application-specific certificate but with the right certificate management platform, you can both reduce risk and increase awareness through automation and intelligence.
So, it just makes sense to avoid using wildcard certificates on production systems. Instead, you should use subdomain-specific certificates that are rotated often. A compromised wildcard certificate can lead to serious repercussions. But you can avoid (or at least significantly mitigate) the potential impact of an attack by using short-lived, non-wildcard certificates.
If you are a growing business that needs to add new subdomains to your website frequently— you should seriously consider investing in certificate management solutions to protect your business against certificate outages or other impending dangers. But even if you are a small business, does the over-reliance on one certificate justify your reasons to save costs? You be the judge.
(This post has been updated. It was originally published on May 7, 2021.)
Related blogs