What’s the Difference? – Standard SSL vs Wildcard SSL Certificate

Understanding the difference in functionality between Wildcards and Single Domain SSL certificates

With Google mandating HTTPS in 2018, websites all over the world are scrambling to install SSL certificates and migrate from HTTP. And this is a good thing. Without HTTPS and SSL, all communication between a website and its visitors would be exchanged in plaintext—easily readable by an eavesdropping third party. Specifically, in the context of personal data and payment card information, this is a big problem. SSL fixes this by encrypting the connections between clients and servers so that the information being exchanged is unreadable to anyone but the party with the matching key.

But with this influx of new customers, there are a lot of people who don’t understand SSL, SSL/TLS certificates and what they need to select to best secure their websites. That’s why we’ve written this guide comparing standard, single domain SSL certificates with Wildcards.

Let’s start with a quick refresher on how SSL certificates work before we get into the specifics.

standard ssl vs wildcard ssl certificate

A short rundown of SSL/TLS

When someone refers to SSL, there are two contexts they may be referring to. SSL, which is actually now TLS, is a protocol for encryption. An SSL certificate is a piece of software that binds a website to a public/private key pair and facilitates said encryption. There is no such thing as an SSL. If someone refers to it that way, run. They don’t know what they’re talking about.

When you purchase and install an SSL certificate, you can migrate your website to HTTPS and start making secure connections. The way this works is a little complicated, but we’ll try to keep it simple.

Every operating system has a trust store, a collection of CA root certificates and their public keys that are saved on your machine. From those root certificates, the CA issue something called an Intermediate root. Because root certificates are so valuable, issuing directly from them is too risky as any mis-issuance that requires revocation of the root would invalidate every descendant certificate it’s chained to. Obviously, that’s not a risk worth taking.

So CAs sign intermediates with their roots’ private keys and issue off the intermediate. When we say issue what we really mean is sign. You will create a Certificate Signing Request on your server (along with the private key) and then send the CSR to the CA. They use the CSR to populate the details in your certificate (after they validate the information provided) and then sign it with one of their intermediate roots’ private keys.

When someone visits your website, their computer will download the SSL certificate and then try to trace the signature back to the certificate whose private key was used to sign it. Once it reaches that certificate, it checks who signed it and continues following the chain until it reaches one of the CA roots in their trust store. If the signatures do chain back to a root, the browser will extended trust to the website. If not it creates an interstitial error.

Lets Talk About How SSL Certificates Facilitate Encryption

When a visitor arrives at your site, after they have verified that the certificate chains to a root, their computer will begin what is called the SSL handshake. This is a process where the client and server exchange some information, including the list of algorithms and ciphers they both support, these are called cipher suites. Once the cipher suite is determined, the user’s computer will generate a pair of session keys and use the certificate’s public key to encrypt the session key and send it to the server where it can be decrypted with the private key and used to communicate.

There are two kinds of encryption at work when it comes to SSL. The first type is called asymmetric encryption. There is a publicly available key for encryption, but only the server has possession of the private key that can decrypt. Asymmetric encryption is one-way encryption. That’s great for secure key exchange but untenable for regular communication. So once the encrypted connection between the client and server begins, they switch to symmetric encryption. With symmetric encryption, a pair of matching keys can be used to both encrypt and decrypt, making it a far better choice for communication.

The other advantage that symmetric encryption has over asymmetric is performance. This is owing to key size. A private key is typically 2,048-bit, much more robust than its symmetric counterparts, which means it would be harder to crack but also added latency to a connection. In fact, that’s been one of the biggest challenges facing the cryptographers that work on new versions of SSL/TLS—shortening the time that the handshake takes. With the release of TLS 1.3 its been cut down to a single roundtrip, but there was a time where the handshake made the entire website slower. Again, that’s no longer an issue but it does illustrate why using a 2,048-bit key for communication is not advisable.

Symmetric keys are typically 256-bit length, which has less hardness (the measure of strength for encryption) but offers much better performance.

And just because the key size is smaller doesn’t make symmetric encryption less secure. It would still take a supercomputer over 1,000 years to crack a 256-bit symmetric session key. For what it’s worth it would take 4-quadrillion years (that’s a real number) for the same computer to crack a 2,408-bit key.

At any rate, the communication that takes place between the server and the client is encrypted symmetrically.

Now Let’s Talk About Single Domain SSL Certificates

Often called Standard SSL certificates, a single domain SSL certificate is the default, baseline certificate type. It can be installed on one server and can secure both the WWW and non-WWW versions of a website.

Standard SSL certificates are available at three different validation levels.

Domain Validation simply requires server authentication. Organization Validation involves light business vetting and places verified organizational information in the certificate details. Extended Validation requires a deep business vetting but also places the verified organizational name prominently in the address bar. 

Top Most Standard SSL Certificates & It's Providers

Brand SSL Product SSL Type Price/Year Retail Cost More Details
comodo-logo Positive SSL DV SSL $7.27/yr $196.00/yr Read More
comodo-logo RapidSSL DV SSL $14.95/yr $138.00/yr Read More
geotrust-logo-aboutssl-org QuickSSL Premium DV SSL $68.50/yr $261.00/yr Read More
comodo-logo PositiveSSL EV EV SSL $74.99/yr $596.00/yr Read More
thawte-logo SSL Web Server OV SSL $86.50/yr $345.00/yr Read More

What is a Wildcard SSL certificate?

Wildcard SSL certificates are a special type of SSL certificate, in addition to securing a single domain, it also can secure an unlimited number of first-level sub-domain. These are examples of Sub-Domains:

  • Mail.website.com
  • Members.website.com
  • Development.website.com
  • Loging.website.com

As you can see, a first level sub-domain comes right before the domain name. Lots of websites use sub-domains and while you can use standard SSL certificates to encrypt each one individually, that would have cost prohibitive.

Wildcards allow websites to encrypt all of their sub-domains with a single certificate. This saves time and money. And best of all, if you add a sub-domain you don’t even have to re-issue the certificate, just reconfigure your server and your Wildcard will secure the new sub-domain, too.

There are a couple of drawbacks to Wildcards though.

First and foremost, from a security standpoint, you’re potentially inviting greater risk because the same private key will be associated with all of your sub-domains. So, if your private key ever gets compromised you won’t be able to limit the damage, all of your sub-domains will be compromised, too.

Additionally, Wildcards are not available at the Extended Validation level. This is also for security reasons. 

Top Most Wildcard SSL Certificates & It's Providers

Brand SSL Product SSL Type Price/Year Retail Cost More Details
comodo-logo Positive SSL Wildcard DV SSL $72.31/yr $996.00/yr Read More
comodo-logo Premium SSL Wildcard OV SSL $112.93/yr $1799.80/yr Read More
comodo-logo RapidSSL Wildcard DV SSL $130.00/yr $537.00/yr Read More
thawte-logo SSL123 Wildcard DV SSL $261.63/yr $1305.00/yr Read More
geotrust-logo-aboutssl-org True BusinessID Wildcard OV SSL $384.00/yr $1049.00/yr Read More
geotrust-logo-aboutssl-org Secure Site Wildcard OV SSL $1661.50/yr $3595.00/yr Read More

What is best for your website?

Deciding between a single domain certificate and a wildcard really comes down to what you’re trying to do. If you have a larger digital infrastructure and just want to get everything encrypted, a DV Wildcard may be your best bet. If you’re an Enterprise attempting to secure sub-domains on an internal website, an OV Wildcard is a good fit. But if you’ve got a small website or you want to put the EV name badge on all your sub-domains, you’ll need to go with Standard SSL certificates and encrypt each individually.

The choice is yours, we just want you to have all of the information.

Download Site Seal
comodo-trust-seal
SSL Checker