Let’s Encrypt is releasing wildcard certificates in 2018! This was actually announced a few months ago, but since 2017 is almost over, I think this is a good time to revisit this.
Background info
A Certificate Authority (CA) is an organization trusted to release cryptographic certificates for websites and such. When you’re browsing and see https://
instead of http://
, the site you’re visiting is using an SSL/TLS certificate from a CA. Such a certificate encrypts communications between your browser and the site you’re visiting, preventing it from being intercepted and read by third parties.
Additionally, CAs may validate that the cert requester:
- Can control the domain name (
example.com
) for which they are requesting a certificate; - Owns the domain name as the organization/legal entity on record;
- Actually is a real legal entity, AKA Extended Validation (EV), in which case you’d also see their name in the location bar.
#2 and #3 grant you additional levels of assurance that the website you’re visiting is genuine. Generally though, ordinary users don’t bother to check the cert details. At most, they’d glance at the location bar, see that it says Secure and go right on. That’s usually good enough. The only time I personally take extra caution is when dealing with an e-commerce or banking site for the first time.
SSL/TLS certs usually cost a lot, especially if #2 and #3 are involved. Certs which only undergo domain validation (#1) have dropped in price, but are still around $10/year from a budget provider. These certificates usually expire in at least a year.
A regular certificate is issued for only one hostname at a time, e.g. www.example.com
but not blog.example.com
. (Nowadays, they usually throw in one for www
when you get a cert for example.com
.) A wildcard certificate is one that secures any subdomain, e.g. shop.example.com
, support.example.com
etc. They cost even more. Much more.
Enter Let’s Encrypt.