Wildcard SSL and SAN Certificates Securing Multiple Subdomains with One Certificate
Learn how to use wildcard SSL certificates and SAN certificates to secure multiple subdomains with a single certificate in your Node.js deployment.
Wildcard SSL and SAN Certificates
When you have multiple subdomains (api, app, admin, www), managing individual SSL certificates for each is tedious. Wildcard and SAN certificates solve this.
What Is a Wildcard Certificate?
A wildcard certificate covers a domain and ALL its first-level subdomains:
*.yourdomain.com
This single certificate covers:
- api.yourdomain.com
- app.yourdomain.com
- admin.yourdomain.com
- www.yourdomain.com
- any.yourdomain.com
It does NOT cover:
- yourdomain.com (root domain, unless included)
- sub.api.yourdomain.com (second-level subdomain)
What Is a SAN Certificate?
A SAN (Subject Alternative Name) certificate lists multiple specific domains:
yourdomain.com
www.yourdomain.com
api.yourdomain.com
app.yourdomain.com
Each domain is explicitly listed. More secure than wildcard but requires adding each new subdomain.
Wildcard vs SAN
| Feature | Wildcard | SAN |
|---|---|---|
| Coverage | All subdomains | Specific domains |
| Adding subdomains | Automatic | Must re-issue |
| Security | Less strict | More strict |
| Cost (commercial) | More expensive | Cheaper for few domains |
| Let's Encrypt | Free (DNS-01) | Free (HTTP-01) |
| Root domain | Not included (unless added) | Included |
Getting a Wildcard Certificate with Let's Encrypt
Wildcard certificates require DNS-01 challenge (not HTTP-01):
sudo certbot certonly --manual --preferred-challenges dns -d *.yourdomain.com -d yourdomain.com
Certbot will ask you to add a TXT record to your DNS:
_acme-challenge.yourdomain.com TXT "abc123verificationcode"
Add this in your DNS provider:
- Cloudflare: DNS → Add Record → Type TXT, Name _acme-challenge, Value (the code)
- Route 53: Create Record Set → Type TXT, Name _acme-challenge, Value (the code)
After adding the TXT record, press Enter in certbot to continue.
Automating Wildcard Certificate Renewal
DNS-01 challenge requires adding a new TXT record each renewal. Automate with Cloudflare plugin:
# Install Cloudflare plugin sudo apt install -y certbot-dns-cloudflare # Create Cloudflare credentials file sudo nano /etc/letsencrypt/cloudflare.ini
dns_cloudflare_api_token = your-cloudflare-api-token
sudo chmod 600 /etc/letsencrypt/cloudflare.ini
# Get wildcard certificate with auto-renewal sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d *.yourdomain.com -d yourdomain.com
Now renewal is automatic certbot adds and removes TXT records via the Cloudflare API.
Getting a SAN Certificate with Let's Encrypt
SAN certificates use HTTP-01 challenge (simpler):
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com -d api.yourdomain.com -d app.yourdomain.com
This gets one certificate covering all listed domains. To add a new subdomain later:
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com -d api.yourdomain.com -d app.yourdomain.com -d admin.yourdomain.com
Nginx Configuration with Wildcard
server { listen 443 ssl; server_name *.yourdomain.com yourdomain.com; ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; location / { proxy_pass http://localhost:3000; # ... proxy headers ... } }
Or with specific server blocks:
server { listen 443 ssl; server_name api.yourdomain.com; ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; location / { proxy_pass http://localhost:3000; } } server { listen 443 ssl; server_name app.yourdomain.com; ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; root /home/ubuntu/frontend/dist; location / { try_files $uri $uri/ /index.html; } }
Both use the same wildcard certificate.
The Takeaway
Wildcard certificates (*.yourdomain.com) cover all first-level subdomains with one certificate. They require DNS-01 challenge and are best automated with the Cloudflare DNS plugin. SAN certificates list specific domains and use HTTP-01 challenge (simpler). For DevTinder with multiple subdomains (api, app, admin), a wildcard certificate is the most convenient add new subdomains without re-issuing the certificate.
A wildcard certificate (*.yourdomain.com) covers a domain and all its first-level subdomains (api, app, admin, www, etc.) with a single certificate. It does NOT cover the root domain (yourdomain.com) unless explicitly included, or second-level subdomains (sub.api.yourdomain.com).
A SAN (Subject Alternative Name) certificate lists multiple specific domains explicitly (yourdomain.com, www.yourdomain.com, api.yourdomain.com). It's more secure than a wildcard but requires re-issuing when adding new subdomains.
Use sudo certbot certonly --manual --preferred-challenges dns -d *.yourdomain.com -d yourdomain.com. This requires DNS-01 challenge you add a TXT record (_acme-challenge) to your DNS. For automation, use the certbot-dns-cloudflare plugin with your Cloudflare API token.
Install certbot-dns-cloudflare, create a credentials file with your Cloudflare API token, then run certbot with --dns-cloudflare --dns-cloudflare-credentials. Certbot automatically adds and removes TXT records via the API during renewal.
Use a wildcard if you have many subdomains or plan to add more in the future (no re-issue needed). Use a SAN if you have a fixed number of subdomains and want more security (each domain is explicitly listed). Both are free with Let's Encrypt.
Ready to master Node.js completely?
Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course to dive deeper with high-quality video tutorials, solve interview questions, and a premium community.
Master Node.js
Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course.

