Every team I've worked with has had the same moment. Someone proposes issuing individual certificates for each service, and a senior engineer says, "Why don't we just use a wildcard?" It sounds reasonable. One certificate for *.example.com covers everything. Less to manage, fewer renewals, simpler automation. Meeting adjourned.
Six months later, that wildcard's private key lives on fourteen servers, two CDN configurations, a load balancer, and a container image that three teams deploy independently. Nobody has written down where all the copies are.
This is the wildcard certificate trap. The simplicity up front is real. You pay for it later.
The convenience assumption and where it breaks
Wildcard certificates solve a genuine problem: you don't want to provision a new cert every time someone spins up a new subdomain. For small environments, say a handful of services behind a single reverse proxy, a wildcard is perfectly fine. The private key lives in one place, renewal touches one system, and the blast radius of any failure is contained.
The trouble starts when the wildcard key needs to exist in more than one place. In any environment with real traffic, it always does.
Your API runs on api.example.com. Your customer dashboard is on app.example.com. Your docs site is on docs.example.com behind a CDN. Your staging environment uses staging.example.com. All covered by one wildcard, but each service needs access to the private key. So the key gets copied to multiple servers, uploaded to CDN providers, injected into container orchestration secrets, and stored in at least two cloud provider secret managers because your CDN runs on a different provider than your compute.
Each copy is an exposure surface, and every team deploying one of those services needs access to the key material or at least to the secret store that holds it. The wildcard certificate security risks add up with each new service that shares the key.
The comparison people should be making is wildcard vs SAN certificate strategies, or more precisely, wildcard vs per-service certificates with automation. SANs let you put multiple specific domains on one cert without the open-ended coverage of a wildcard. Per-service certs scope the blast radius to a single service. Both require more certificates but distribute risk differently.
One key, every subdomain
Say a single wildcard private key gets compromised.
With a per-service certificate, a key compromise means an attacker can impersonate one service. Bad, but bounded. You revoke that cert, reissue, deploy to one place. Done.
With a wildcard, that same compromise means the attacker can impersonate any subdomain under your domain. Your API, your admin panel, your customer-facing app, all of your internal tools. They can spin up a convincing phishing page on any subdomain and the certificate will be perfectly valid.
Revocation is where the real pain hits. You revoke the wildcard, and every service using it goes untrusted simultaneously. Then you generate a new key pair, issue a new certificate, and deploy it to every location where the old one lived. Remember that list of fourteen servers, two CDNs, and a container image? All of them. Fast. Without missing any.
I've seen environments where the revocation-and-reissue process for a shared wildcard took over six hours because nobody had a complete inventory of where the key was deployed. Six hours of choosing between running a compromised certificate and taking services offline.
This is not a hypothetical risk. Key material gets exposed through misconfigured backups, overly broad access to secret stores, developers pulling production secrets into local environments, CI/CD pipelines that cache credentials longer than they should. The question isn't whether it can happen. It's whether your blast radius is one service or your entire domain.
Certificate Transparency sees everything anyway
One argument I hear for wildcards is that they reduce information leakage. The theory: if you issue individual certs for internal-tools.example.com and admin-panel.example.com, those names show up in Certificate Transparency logs, revealing your infrastructure. A wildcard for *.example.com doesn't expose specific subdomain names.
Partially true. Mostly irrelevant.
CT logs will show that you issued a wildcard for *.example.com, which tells an attacker that subdomains exist and are worth probing. DNS enumeration tools, search engine indexing, and passive DNS databases will surface your subdomains regardless of your certificate strategy. If subdomain discovery is your threat model, you need DNS hygiene and network segmentation, not certificate obfuscation.
The wildcard also creates its own monitoring blind spot. With individual certificates per service, you can monitor CT logs for unexpected issuance per subdomain. If someone issues a cert for api.example.com and it wasn't you, that's a clear signal. With a wildcard, you're watching for unauthorized wildcard issuance, but you won't catch an attacker who obtains a single-domain cert for one of your subdomains because your monitoring is scoped to wildcards.
Then there's the renewal single point of failure. If your wildcard cert expires, every service behind it goes dark at the same time. Per-service certs issued on different schedules mean a single renewal failure takes out one service. A wildcard means one missed renewal is a full outage across every subdomain. I've seen this happen during cloud provider issues where the ACME endpoint was unreachable for a few hours, just long enough to miss the renewal window for a short-lived wildcard. The entire estate, serving expired certificates, all at once.
The 47-day reckoning
Everything I've described gets worse under the CA/Browser Forum's SC-081v3 timeline. We're already in the 200-day maximum lifetime phase as of March 2026. By March 2027, that drops to 100 days. By March 2029, 47 days.
Shorter lifetimes are good for security. They limit the window of exposure for any compromised key. But they change the operational math of wildcard certificates entirely.
With a 398-day certificate, you renewed your wildcard once a year. Coordinating deployment across a dozen services annually is annoying but manageable. Someone puts it on the calendar, a runbook gets followed, things get updated.
At 47 days, that coordination happens roughly every month. Renew the wildcard, distribute the new certificate and key to every service, verify every deployment succeeded, handle any failures, all within a tight window before the old cert expires.
The "fewer certificates means less work" equation inverts completely. A wildcard covering twenty services means one renewal event requiring twenty coordinated deployments. Twenty per-service certificates with ACME automation means twenty independent events that each need zero coordination because they're fully automated within each service's pipeline.
The wildcard requires orchestration. Per-service certs require automation. Not the same thing. Orchestration needs humans in the loop or a centralized system pushing keys to every consumer. Automation runs locally within each service and fails independently. Guess which one still works at 3am when your on-call is asleep.
When per-service certificates win
The breakeven comes down to where the private key lives.
If it exists in exactly one place, a single reverse proxy or ingress controller terminating TLS for everything behind it, a wildcard is fine. The key is in one location, renewal touches one system, and compromise plays out the same as a per-service cert because revocation and reissue happen in one place.
The moment that key needs to be copied to multiple independent systems, you're paying the distribution tax on every renewal and carrying the blast radius risk every day between renewals. That's where per-service certificates with ACME automation become cheaper in actual operational cost, even though you're managing more certificates.
You don't have to migrate everything at once. Start with your highest-risk services: anything handling authentication, payment, or admin access. Issue dedicated certs for those, automate renewal through your platform's native tooling or a cert-manager equivalent, and leave the wildcard in place for lower-risk services while you transition.
The metric to track is key location count: how many distinct systems hold a copy of any given private key. A strategy where every key exists in exactly one location is more secure and simpler to operate than one where keys get copied across systems. True whether you're using wildcards, SANs, or individual certs.
Getting to visibility first
None of this matters if you don't know what certificates you have and where they're deployed. First step, before any strategy change, is a complete inventory.
If you're running across multiple cloud providers, that means pulling cert inventories from ACM, Key Vault, and GCP Certificate Manager, scanning your external endpoints for what's actually being served, and cross-referencing against CT logs for anything you missed. Tools like CertPulse exist for exactly this, aggregating certificate data across providers and endpoints so you can see your exposure before deciding how to reduce it.
Wildcard certificates optimize for the wrong metric. They minimize the number of certificates, when what actually matters is minimizing the number of places private keys live and the blast radius when something goes wrong. Once you can see your certificate estate clearly, the right strategy tends to be pretty obvious.
This is why we built CertPulse
CertPulse connects to your AWS, Azure, and GCP accounts, enumerates every certificate, monitors your external endpoints, and watches Certificate Transparency logs. One dashboard for every cert. Alerts when auto-renewal fails. Alerts when certs approach expiry. Alerts when someone issues a cert for your domain that you didn't request.
If you're looking for complete certificate visibility without maintaining scripts, we can get you there in about 5 minutes.