What’s the Difference? – Standard SSL vs Wildcard SSL Certificate

Understanding the difference in functionality between Wildcards and Single Domain SSL certificates

With Google mandating HTTPS in 2018, websites all over the world are scrambling to install SSL certificates and migrate from HTTP. And this is a good thing. Without HTTPS and SSL, all communication between a website and its visitors would be exchanged in plaintext—easily readable by an eavesdropping third party. Specifically, in the context of personal data and payment card information, this is a big problem. SSL fixes this by encrypting the connections between clients and servers so that the information being exchanged is unreadable to anyone but the party with the matching key.

But with this influx of new customers, there are a lot of people who don’t understand SSL, SSL/TLS certificates, and what they need to select to best secure their websites. That’s why we’ve written this guide comparing standard, single-domain SSL certificates with Wildcards.

Let’s start with a quick refresher on how ssl certificate works before we get into the specifics.

See Also: Wildcard SSL vs SAN SSL Certificate

standard ssl vs wildcard ssl certificate

A short rundown of SSL/TLS

When someone refers to SSL, there are two contexts they may be referring to. SSL, which is actually now TLS, is a protocol for encryption. An SSL certificate is a piece of software that binds a website to a public/private key pair and facilitates said encryption. There is no such thing as SSL. If someone refers to it that way, run. They don’t know what they’re talking about.

When you purchase and install an SSL certificate, you can migrate your website to HTTPS and start making secure connections. The way this works is a little complicated, but we’ll try to keep it simple.

Every operating system has a trust store, a collection of CA root certificates, and their public keys that are saved on your machine. From those root certificates, the CA issue, something called an Intermediate root. Because root certificates are so valuable, issuing directly from them is too risky as any misissuance that requires revocation of the root would invalidate every descendant certificate it’s chained to. Obviously, that’s not a risk worth taking.

So sign the intermediates with their roots’ private keys and issue off the intermediate. When we say issue what we really mean is a sign. You will create a Certificate Signing Request on your server (along with the private key) and then send the CSR to the CA. They use the CSR to populate the details in your certificate (after they validate the information provided) and then sign it with one of their intermediate roots’ private keys.

When someone visits your website, their computer will download the SSL certificate and then try to trace the signature back to the certificate whose private key was used to sign it. Once it reaches that certificate, it checks who signed it and continues following the chain until it reaches one of the CA roots in their trust store. If the signatures do chain back to a root, the browser will extend trust to the website. If not it creates an interstitial error.

Lets Talk About How SSL Certificates Facilitate Encryption

When a visitor arrives at your site after they have verified that the certificate chains to a root, their computer will begin what is called the SSL handshake. This is a process where the client and server exchange some information, including the list of algorithms and ciphers they both support, these are called cipher suites. Once the cipher suite is determined, the user’s computer will generate a pair of session keys and use the certificate’s public key to encrypt the session key and send it to the server where it can be decrypted with the private key and used to communicate.

There are two kinds of encryption at work when it comes to SSL. The first type is called asymmetric encryption. There is a publicly available key for encryption, but only the server has possession of the private key that can decrypt. Asymmetric encryption is one-way encryption. That’s great for secure key exchange but untenable for regular communication. So once the encrypted connection between the client and server begins, they switch to symmetric encryption. With symmetric encryption, a pair of matching keys can be used to both encrypt and decrypt, making it a far better choice for communication.

The other advantage that symmetric encryption has over asymmetric is performance. This is owing to the key size. A private key is typically 2,048-bit, much more robust than its symmetric counterparts, which means it would be harder to crack but also added latency to a connection. In fact, that’s been one of the biggest challenges facing the cryptographers that work on new versions of SSL/TLS shortening the time that the handshake takes. With the release of TLS 1.3 its been cut down to a single roundtrip, but there was a time where the handshake made the entire website slower. Again, that’s no longer an issue but it does illustrate why using a 2,048-bit key for communication is not advisable.

Symmetric keys are typically 256-bit length, which has less hardness (the measure of strength for encryption) but offers much better performance.

And just because the key size is smaller doesn’t make symmetric encryption less secure. It would still take a supercomputer over 1,000 years to crack a 256-bit symmetric session key. For what it’s worth it would take 4-quadrillion years (that’s a real number) for the same computer to crack a 2,408-bit key.

At any rate, the communication that takes place between the server and the client is encrypted symmetrically.

Now Let’s Talk About Single Domain SSL Certificates

Often called Standard SSL certificates, a single-domain SSL certificate is a default, baseline certificate type. It can be installed on one server and can secure both the WWW and non-WWW versions of a website.

Standard SSL certificates are available at three different validation levels.

Domain Validation simply requires server authentication. Organization Validation involves light business vetting and places verified organizational information in the certificate details. Extended Validation requires a deep business vetting but also places the verified organizational name prominently in the address bar.

Top Most Standard SSL Certificates & It’s Providers

Brand	SSL Product	SSL Type	Issuance Time	More Details
	Positive SSL	DV SSL	Immediate	Read More
	RapidSSL	DV SSL	Immediate	Read More
	QuickSSL Premium	DV SSL	Immediate	Read More
	PositiveSSL EV	EV SSL	1-5 Days	Read More
	SSL Web Server	OV SSL	1-3 Days	Read More

What is a Wildcard SSL certificate?

Wildcard SSL certificates are a special type of SSL certificate, in addition to securing a single domain, it also can secure an unlimited number of first-level sub-domain. These are examples of Sub-Domains:

Mail.website.com
Members.website.com
Development.website.com
Loging.website.com

As you can see, a first level sub-domain comes right before the domain name. Lots of websites use sub-domains and while you can use standard SSL certificates to encrypt each one individually, that would have cost-prohibitive.

Wildcards allow websites to encrypt all of their sub-domains with a single certificate. This saves time and money. And best of all, if you add a sub-domain you don’t even have to re-issue the certificate, just reconfigure your server and your Wildcard will secure the new sub-domain, too.
There are a couple of drawbacks to Wildcards though.

First and foremost, from a security standpoint, you’re potentially inviting greater risk because the same private key will be associated with all of your sub-domains. So, if your private key ever gets compromised you won’t be able to limit the damage, all of your sub-domains will be compromised, too.

Additionally, Wildcards are not available at the Extended Validation level. This is also for security reasons.

Top Most Wildcard SSL Certificates & It’s Providers

Brand	SSL Product	SSL Type	Issuance Time	More Details
	Positive SSL Wildcard	DV SSL	Immediate	Read More
	Premium SSL Wildcard	OV SSL	1-3 Days	Read More
	RapidSSL Wildcard	DV SSL	Immediate	Read More
	SSL123 Wildcard	DV SSL	Immediate	Read More
	True BusinessID Wildcard	OV SSL	1-3 Days	Read More
	Secure Site Wildcard	OV SSL	1-3 Days	Read More

What is best for your website?

Deciding between a single domain certificate and a wildcard really comes down to what you’re trying to do. If you have a larger digital infrastructure and just want to get everything encrypted, a DV Wildcard may be your best bet. If you’re an Enterprise attempting to secure sub-domains on an internal website, an OV Wildcard is a good fit. But if you’ve got a small website or you want to put the EV name badge on all your sub-domains, you’ll need to go with Standard SSL certificates and encrypt each individually. The choice is yours, we just want you to have all of the information.

Main Features	Comodo Positive SSL	Comodo Positive SSL Wildcard
Certificate Authority	Comodo	Comodo
Domains Included	1	1 + all one level sub-domains
Lowest Price	$7.27/yr	$72.31/yr
Domains Secured	www.domain.com, domain.com	domain.com, www.domain.com, login.domain.com, mail.domain.com
Best For	Personal Websites/Blogs	Personal Websites/Blogs
Additional Domains
Validation Level	Domain	Domain
Paperwork
Time to Receive SSL	Within Minutes	Within Minutes
SSL Encryption	up to 256-bit	up to 256-bit
Key Length	2048 bits	2048 bits
Assurance Level	Medium	Medium
Notification Level in Browsers	Domain name displayed on certificate details	Domain name displayed on certificate details
Server License	Unlimited	Unlimited
SSL Site Seal
Reissue Policy
Warranty by CA	$10,000	$10,000
Refund Policy	30 days	30 days
Organization Name in URL
Wildcard Support
SAN / UCC Support
Browser Support	99%	99%
OS Support [Desktop]
OS Support [Mobile]
	Get It Now	Get It Now