Facebook Pixel

Wildcard SSL and SAN Certificates Securing Multiple Subdomains with One Certificate

Learn how to use wildcard SSL certificates and SAN certificates to secure multiple subdomains with a single certificate in your Node.js deployment.

Wildcard SSL and SAN Certificates

When you have multiple subdomains (api, app, admin, www), managing individual SSL certificates for each is tedious. Wildcard and SAN certificates solve this.

What Is a Wildcard Certificate?

A wildcard certificate covers a domain and ALL its first-level subdomains:

*.yourdomain.com

This single certificate covers:

  • api.yourdomain.com
  • app.yourdomain.com
  • admin.yourdomain.com
  • www.yourdomain.com
  • any.yourdomain.com

It does NOT cover:

  • yourdomain.com (root domain, unless included)
  • sub.api.yourdomain.com (second-level subdomain)

What Is a SAN Certificate?

A SAN (Subject Alternative Name) certificate lists multiple specific domains:

yourdomain.com
www.yourdomain.com
api.yourdomain.com
app.yourdomain.com

Each domain is explicitly listed. More secure than wildcard but requires adding each new subdomain.

Wildcard vs SAN

FeatureWildcardSAN
CoverageAll subdomainsSpecific domains
Adding subdomainsAutomaticMust re-issue
SecurityLess strictMore strict
Cost (commercial)More expensiveCheaper for few domains
Let's EncryptFree (DNS-01)Free (HTTP-01)
Root domainNot included (unless added)Included

Getting a Wildcard Certificate with Let's Encrypt

Wildcard certificates require DNS-01 challenge (not HTTP-01):

sudo certbot certonly --manual --preferred-challenges dns -d *.yourdomain.com -d yourdomain.com

Certbot will ask you to add a TXT record to your DNS:

_acme-challenge.yourdomain.com TXT "abc123verificationcode"

Add this in your DNS provider:

  • Cloudflare: DNS → Add Record → Type TXT, Name _acme-challenge, Value (the code)
  • Route 53: Create Record Set → Type TXT, Name _acme-challenge, Value (the code)

After adding the TXT record, press Enter in certbot to continue.

Automating Wildcard Certificate Renewal

DNS-01 challenge requires adding a new TXT record each renewal. Automate with Cloudflare plugin:

# Install Cloudflare plugin sudo apt install -y certbot-dns-cloudflare # Create Cloudflare credentials file sudo nano /etc/letsencrypt/cloudflare.ini
dns_cloudflare_api_token = your-cloudflare-api-token
sudo chmod 600 /etc/letsencrypt/cloudflare.ini
# Get wildcard certificate with auto-renewal sudo certbot certonly --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d *.yourdomain.com -d yourdomain.com

Now renewal is automatic certbot adds and removes TXT records via the Cloudflare API.

Getting a SAN Certificate with Let's Encrypt

SAN certificates use HTTP-01 challenge (simpler):

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com -d api.yourdomain.com -d app.yourdomain.com

This gets one certificate covering all listed domains. To add a new subdomain later:

sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com -d api.yourdomain.com -d app.yourdomain.com -d admin.yourdomain.com

Nginx Configuration with Wildcard

server { listen 443 ssl; server_name *.yourdomain.com yourdomain.com; ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; location / { proxy_pass http://localhost:3000; # ... proxy headers ... } }

Or with specific server blocks:

server { listen 443 ssl; server_name api.yourdomain.com; ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; location / { proxy_pass http://localhost:3000; } } server { listen 443 ssl; server_name app.yourdomain.com; ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem; root /home/ubuntu/frontend/dist; location / { try_files $uri $uri/ /index.html; } }

Both use the same wildcard certificate.

The Takeaway

Wildcard certificates (*.yourdomain.com) cover all first-level subdomains with one certificate. They require DNS-01 challenge and are best automated with the Cloudflare DNS plugin. SAN certificates list specific domains and use HTTP-01 challenge (simpler). For DevTinder with multiple subdomains (api, app, admin), a wildcard certificate is the most convenient add new subdomains without re-issuing the certificate.

A wildcard certificate (*.yourdomain.com) covers a domain and all its first-level subdomains (api, app, admin, www, etc.) with a single certificate. It does NOT cover the root domain (yourdomain.com) unless explicitly included, or second-level subdomains (sub.api.yourdomain.com).

A SAN (Subject Alternative Name) certificate lists multiple specific domains explicitly (yourdomain.com, www.yourdomain.com, api.yourdomain.com). It's more secure than a wildcard but requires re-issuing when adding new subdomains.

Use sudo certbot certonly --manual --preferred-challenges dns -d *.yourdomain.com -d yourdomain.com. This requires DNS-01 challenge you add a TXT record (_acme-challenge) to your DNS. For automation, use the certbot-dns-cloudflare plugin with your Cloudflare API token.

Install certbot-dns-cloudflare, create a credentials file with your Cloudflare API token, then run certbot with --dns-cloudflare --dns-cloudflare-credentials. Certbot automatically adds and removes TXT records via the API during renewal.

Use a wildcard if you have many subdomains or plan to add more in the future (no re-issue needed). Use a SAN if you have a fixed number of subdomains and want more security (each domain is explicitly listed). Both are free with Let's Encrypt.

Ready to master Node.js completely?

Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course to dive deeper with high-quality video tutorials, solve interview questions, and a premium community.

Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.