Each subdomain (app.yourdomain.com, blog.yourdomain.com, shop.yourdomain.com) needs its own SSL certificate — or, with a wildcard cert, one certificate covers them all. When do you need wildcard vs. per-subdomain? How do you get a wildcard for free? This guide answers both.
How standard subdomain SSL works on iWebVault
cPanel AutoSSL automatically issues a separate Let’s Encrypt certificate for each subdomain as you create them. Process:
- You add a subdomain in cPanel → Domains → Subdomains.
- Within minutes (or by next AutoSSL run, typically every few hours), Let’s Encrypt issues a cert for it.
- Verify at cPanel → SSL/TLS Status — the subdomain shows green.
For most sites with 2-5 subdomains, this is perfect. No manual steps, no maintenance, free certs auto-renewed every 90 days.
When you need a wildcard certificate
A wildcard cert (*.yourdomain.com) covers ALL subdomains in one certificate. Real reasons to want one:
- Dynamic subdomains. Your app creates subdomains on demand (multi-tenant SaaS, customer-branded subdomains). Can’t pre-create cert for each.
- Many subdomains (50+). Managing individual certs becomes tedious; one wildcard simplifies.
- Subdomains created outside cPanel. If you use external services (Cloudflare DNS) to manage subdomains, AutoSSL might not see them.
- Apps that need it. Some applications (Kubernetes ingress, certain Docker setups) prefer a single wildcard cert.
When you don’t need wildcard:
- You have 2-10 fixed subdomains. AutoSSL handles them.
- You only care about
wwwand root. AutoSSL covers both automatically.
Issuing a wildcard via Let’s Encrypt
Let’s Encrypt issues wildcards, but the validation requirement is different from regular certs:
- Regular cert (HTTP-01): Let’s Encrypt drops a file at
http://yourdomain.com/.well-known/acme-challenge/.... AutoSSL handles this transparently. - Wildcard cert (DNS-01): Let’s Encrypt asks you to add a TXT record at
_acme-challenge.yourdomain.comto prove DNS control. You add it, Let’s Encrypt verifies, cert issues.
DNS-01 doesn’t automate via AutoSSL by default. Two ways to handle this on iWebVault:
Option 1: Open a support ticket
Easiest. Request wildcard certificate for your domain. We can issue Let’s Encrypt wildcard certs server-side using the DNS-01 challenge and install them on your account.
Once installed, the wildcard certificate covers all subdomains. Auto-renewal can be configured to handle DNS-01 automation behind the scenes.
Option 2: Cloudflare’s universal SSL
If your domain is on Cloudflare (orange cloud), Cloudflare provides edge SSL for *.yourdomain.com automatically. You don’t need a wildcard at your origin — visitors connect to Cloudflare via HTTPS using Cloudflare’s wildcard, Cloudflare connects to origin via your standard AutoSSL cert per subdomain.
This is the simplest setup for most sites needing wildcard behavior. Cloudflare handles the wildcard at the edge; origin keeps using per-subdomain certs that AutoSSL manages.
Option 3: certbot manually (advanced)
On a VPS or for advanced users:
certbot certonly --manual --preferred-challenges dns -d "*.yourdomain.com" -d yourdomain.comCertbot prints a TXT value. You manually add it to DNS at _acme-challenge.yourdomain.com. Confirm via dig TXT _acme-challenge.yourdomain.com showing the value. Press Enter in certbot; cert issues to /etc/letsencrypt/live/yourdomain.com/.
Caveat: certs expire every 90 days. Manual DNS-01 means manual renewal every 90 days. For automation, use a certbot plugin that integrates with your DNS provider’s API (Cloudflare, Route 53, etc.).
Installing a wildcard cert on cPanel
Once you have certificate + private key + CA bundle (either from our support, or generated yourself):
- cPanel → SSL/TLS → Manage SSL sites.
- Select your domain.
- Paste certificate, key, CA bundle.
- Install.
- Repeat for each subdomain — same cert and key, but installed against each subdomain.
Server-side, a wildcard cert is recognized as valid for any subdomain matching the pattern. cPanel installs it per-domain because that’s how cPanel models SSL; the underlying cert is the same.
What wildcard certs do and don’t cover
*.yourdomain.com covers:
www.yourdomain.comapp.yourdomain.comblog.yourdomain.com- Any one-level subdomain.
Does NOT cover:
yourdomain.com(the root domain) — you need to explicitly include this when requesting (-d yourdomain.com -d "*.yourdomain.com").nested.app.yourdomain.com— wildcards are one level. Multi-level need separate certs or a multi-level wildcard.- Different domains entirely (
otherdomain.com).
SAN (Subject Alternative Name) certs — the alternative
Instead of wildcards, you can have a “SAN” cert that explicitly lists multiple specific domains/subdomains. Let’s Encrypt issues SAN certs covering up to 100 names. AutoSSL does this automatically for all subdomains it sees.
SAN advantage: more predictable, explicit. Wildcard advantage: works for unknown future subdomains.
Common wildcard SSL questions
“Does a wildcard cost more than regular?” Free via Let’s Encrypt either way. Paid wildcards from commercial CAs are more expensive than single-domain paid certs (typically $50-200/year vs $10-50). With Let’s Encrypt being free and ubiquitous, paid wildcards are rarely needed in 2026.
“Renewal is more complex for wildcards.” True if you’re doing DNS-01 manually. With our support handling it, or via certbot with a DNS API plugin, renewal is automated.
“Can I have AutoSSL AND a wildcard at the same time?” AutoSSL will respect manually-installed certs. If you install a wildcard manually, AutoSSL won’t overwrite it. You’re responsible for renewal of manually-installed certs.
“My subdomain isn’t getting an SSL even after waiting hours.” Standard AutoSSL troubleshooting applies — DNS pointing right? AutoSSL excluded the subdomain? Run AutoSSL manually. SSL/AutoSSL guide.
“Browser says ‘cert doesn’t cover this subdomain’.” The installed cert is for a different subdomain or only the root. Verify which cert is installed at SSL/TLS → Manage SSL sites for the specific subdomain.
What’s next
- SSL fundamentals and troubleshooting: SSL and AutoSSL guide.
- Cloudflare alternative for wildcard behavior: Cloudflare origin protection.
- DNS records for SSL validation: DNS records explained.
For most sites: don’t bother with a wildcard. AutoSSL on iWebVault automatically issues per-subdomain certs and renews them — invisible, free, robust. Wildcards are for the specific cases where per-subdomain doesn’t fit: dynamic subdomains, very large counts, or specific application requirements.
Was this helpful?
Thanks for your feedback!
