How to choose SSL certificates for single domain, multiple domains, wildcard, and generic domains?
Many website owners spend most of their time choosing servers and configuring the environment when building a website, only to struggle with SSL certificates. Opening a certificate purchase page, the terms "single domain," "multiple domain," "wildcard," and "genuine domain" are enough to overwhelm anyone. Even worse, choosing the wrong certificate not only wastes money but can also lead to incompatibility issues later on when expanding business. This article will break down the differences between these certificate types and the selection logic from a practical business perspective.
I. Clarifying the Concepts: What Do They Protect?
Before discussing how to choose, it's essential to understand the coverage of each certificate type; this is the foundation of selection.
Single domain certificates are the most basic type, as the name suggests—they protect only one specific domain. For example, if you buy a single domain certificate for www.example.com, it can only be used for that one domain; blog.example.com and api.example.com are not protected. It doesn't care if you're using the same server; it only recognizes the domain name itself.
Wildcard certificates, also known as wildcard certificates, are characterized by the asterisk (*). The format is typically *.example.com, and this asterisk matches any second-level subdomain. This means that shop.example.com, member.example.com, and api.example.com can all be covered by the same certificate. However, a key limitation is that it only matches first-level subdomains; third-level subdomains like a.b.example.com are not supported. Additionally, if you purchase a *.example.com certificate, some Certificate Authorities (CAs) will include the bare domain example.com itself by default.
Multi-domain certificates, technically called SAN (Subject Alternative Name) certificates, differ from wildcard certificates in that wildcard certificates only govern subdomains under the same main domain, while multi-domain certificates can bind multiple completely independent domains to a single certificate. These domains can have completely different main domains. For example, you can put three completely unrelated domains—example.com, test.cn, and demo.net—in the same certificate; this is what a multi-domain certificate does. Typically, a certificate supports 2-5 domains by default, but can be expanded to 100 or more.
Wildcards and wildcard domains are essentially the same thing in the Chinese context; both refer to certificate types containing the * wildcard character. These two terms are used interchangeably in most articles, so don't worry too much about the literal differences.
II. Think Clearly About Your Domain Structure Before Choosing a Certificate
Choosing a certificate isn't about which name sounds best, but about how your business will develop in the future. A practical way to determine this is to ask yourself three questions.
First question: How many domains do you need to protect?
If you only have one domain, such as a personal blog or a small business website, then a single-domain certificate is sufficient. There's no need to spend extra money on features you won't use. Single-domain certificates have the lowest cost and simplest configuration, making them the cleanest and most efficient solution for a single-domain scenario.
Second question: If you have multiple domains, are they subdomains of the same main domain, or from different main domains?
This question directly determines whether you should choose wildcard domains or multiple domains.
If your multiple subdomains belong to the same main domain, such as www.example.com, shop.example.com, and api.example.com, a single wildcard certificate (*.example.com) can cover them all. Furthermore, adding a new subdomain in the future won't require a new certificate application; it will work directly. This is especially convenient for SaaS service providers, e-commerce platforms with multiple business lines, or companies with multiple regional branches.
However, if your domains span multiple main domains, such as a company operating official websites for two different brands (brand-a.com and brand-b.com), wildcard certificates are insufficient. In this case, a multi-domain certificate is necessary to bind the two independent main domains together.
The third question: How deep is your domain hierarchy?
Wildcard certificates only cover second-level domains. If your business involves third-level or deeper subdomains, such as dev.api.example.com, wildcard certificates won't cover them. You'll need to apply for separate certificates for these deeper domains, or choose a multi-domain certificate that can add specific subdomains as a fallback.
III. Verification Level Cannot Be Ignored
Domain type is only one dimension in the selection process; another equally important dimension is the verification level. Even among single-domain certificates, the differences between DV, OV, and EV levels are significant.
DV Certificates: DV certificates only verify domain ownership. The review process is the fastest, taking only minutes to tens of minutes, and the cost is the lowest. Suitable for personal websites, testing environments, and utility sites—scenarios where corporate identity is not required.
OV Certificates: OV certificates require verification of the company's identity. The certificate displays the company name, and the review period is generally 3-5 business days. Suitable for e-commerce platforms, corporate websites, and membership systems—scenarios where users need to see that "this is a legitimate company operating," effectively increasing trust.
EV Certificates: EV certificates have the strictest review process, requiring multiple legal verifications. The review period is the longest, and it represents the highest compliance requirement. Sensitive businesses such as financial payments, government services, and medical data typically require EV certificates to meet compliance requirements. However, it's important to note that mainstream browsers have removed the old green address bar display. EV certificates now primarily hide company information in the certificate details panel, but their legal validity and anti-phishing capabilities remain the strongest.
There's a common combination limitation to be aware of: EV certificates do not support wildcard domains. If your business needs to cover multiple subdomains and requires EV-level authentication, you'll have to choose a multi-domain EV certificate, adding the necessary subdomains one by one.
IV. Several Typical Selection Combinations
After understanding the above rules, you can choose the appropriate combination based on your needs:
Personal blogs, static display pages, temporary test sites: DV single domain – lowest cost, fastest issuance, sufficient for most needs.
Corporate website (single domain, no complex subdomains): OV single domain – provides additional corporate identity endorsement compared to DV; users can verify company information through the certificate details, offering moderate cost-effectiveness.
For e-commerce platforms, SaaS services, and enterprises with multiple business subdomains: OV wildcard domains allow one certificate to manage all second-level subdomains, eliminating the need for additional applications for new business launches and significantly reducing management costs.
For group enterprises, multi-brand operations, and cross-domain businesses: OV or EV multi-domain certificates allow unified management of domains from different main domains under a single certificate, avoiding the hassle of maintaining multiple certificates separately.
For core payment pages, financial transaction systems, and government platforms: EV multi-domain certificates or EV single-domain certificates provide the highest level of identity authentication, meeting stringent compliance requirements.
V. Several Common Pitfalls to Avoid in Advance
There are some common pitfalls to avoid when selecting a certificate; knowing them beforehand can save you a lot of trouble.
Pitfall 1: Blindly Using Wildcard Domains. Some website owners think wildcard domains sound "premium" and spend more money on them, even though they only have two or three subdomains. While wildcard domains offer wider coverage, they also mean higher private key permissions, leading to a wider impact if leaked. For scenarios with fewer than five subdomains, using multiple single-domain certificates or choosing a multi-domain certificate may be more flexible and the risks more controllable. Pitfall 2: Treating wildcard domains as a universal key. Buying *.example.com and assuming all subdomains are covered, only to find errors when accessing a.b.example.com. This is due to a misunderstanding of the limitation that wildcard domains only protect first-level subdomains.
Pitfall 3: Packing too many domains into a multi-domain certificate without proper change management. If any domain on a multi-domain certificate becomes invalid or its ownership changes, the entire certificate may be revoked. If the domain list is not maintained, it can have a cascading effect.
Pitfall 4: Forcing an EV certificate for low-security scenarios. Buying an EV certificate for a personal blog is wasteful and prolongs the deployment cycle; it's completely unnecessary. The verification level should match the business sensitivity, not necessarily the higher the better.
Choosing an SSL certificate is essentially a review of your business domain architecture. First, count how many domains you need to protect; then, determine whether they are within the same domain or across domains; finally, decide on the verification level based on the nature of your business. Following these three steps will make the choice clear. There are no absolutely good or bad certificates, only certificates that are suitable for your specific scenario. Choosing the right option saves you time, effort, and money; choosing the wrong option will leave you with a mountain of debt to maintain later.
CN
EN