Skip to main content
banner image
venafi logo

Is It Safe to Use a Single SSL Certificates to Secure Multiple Domains?

Is It Safe to Use a Single SSL Certificates to Secure Multiple Domains?

May 24, 2021 | Anastasios Arampatzis

Businesses are all about using minimum resources to maximize their investment returns. As such, one of the common questions that many enterprises ask when they are considering investing or renewing their security certificates, is:

“Can I use just one TLS/SSL Certificate to secure multiple domains?”

The answer is, obviously, yes—you can buy one wildcard SSL certificate to secure unlimited subdomains. But while it’s certainly possible to use a single machine identity to secure multiple domains, it isn’t always safe. Relying on one wildcard certificate to manage several subdomains comes with a variety of security challenges.

In this post, I’ll explain the opportunities and challenges of using a single TLS/SSL certificate to secure multiple domains.

The perks of using a single certificate for multiple domains

The "low-hanging fruit" of using a single certificate to secure multiple domains is that it appears easier to manage, more affordable, and helpful for your website on the SEO (Search Engine Optimization) front.

It may seem easier to manage a wildcard TLS/SSL certificate because you only have to worry about issuing and renewing one certificate for all your subdomains. (But we’ll talk more about the reality of wildcard certificate management later). If you are a bootstrapped company on a tight budget, you can secure 15 different subdomains with just one certificate.

The above-mentioned benefit also helps you save money. Since there is only one certificate to issue, manage, and renew—your overhead costs are significantly low in comparison to buying and managing multiple single domain certificates.

For most companies, buying one certificate for all their subdomains also comes down to the speed of deployment. For instance, most CAs issue a wildcard TLS/SSL certificate within a few hours from your purchase. Once you have the certificate, it doesn’t take more than a few minutes for you to install it to all your domains. Compare that with the process of buying extended validation (EV) certificates, which easily takes a few days because most CAs have a long and complicated verification process behind issuing EV certificates.

Another benefit is that whether you are using one or multiple TLS/SSL certificates, HTTPS will increase the chances of your website ranking on top of search engine pages. It’s old news but one that you must be aware of— Google counts SSL certificates as a lightweight ranking signal to encourage all businesses to encrypt their domains.

From a business perspective, this is a critical step towards maintaining your brand reputation. Not having an SSL certificate means search engines will show a warning message to the visitors when they enter your website from the search results page. It’s the quickest way to create a bad customer experience and lose customers’ trust in your brand.

Using just one security certificate across all subdomains not only saves you a ton of money but, also secures your domains and builds trust in your brand.

So why is it risky to use a wildcard certificate?

Wildcard certificates may help you secure your public domains at an encryption level, but the risks involved can cut deeper.

For example, if you are using a single wildcard cert to secure several domains, cybercriminals can use that to their advantage. A wildcard certificate is a single-point encryption parameter; if it fails, your entire security structure falls apart. Compromising your main encryption gate gives bad actors access to the private keys all your subdomains shared, which they can then use to break into those subdomains. 

Here’s a simple way to understand this.

Using a wildcard certificate is like locking your house's front door while leaving the other doors open. The rooms inside your house are secure, but only until someone breaches the main door—then every room is vulnerable. Once they have access to your rooms/domains, cybercriminals can easily launch phishing attacks because they have gained the insider privilege to create new subdomains from within your server.

For example, let’s say a cybercriminal is able to bypass the wildcard certificate that was using to secure its host domain and other subdomains.

Now they can create a number of spoofed URLs such as:

At a glance, all of these URLs look like legitimate Amazon sites. But if you look closely, they are fake clones of the Amazon URL.

Many cybercriminals go to the extent of designing websites that mimic popular brands to trick our eyes and brains into sharing personal information, which they can misuse for their own gain. Here’s an example:

Image source

Cybercriminals are also getting better at either stealing encryption keys from Certificate Authorities (CAs) such as Symantec, DigiCert, or GoDaddy or buying them from the Dark web marketplace.

Simply put, you can’t rely too much on wildcards for encrypting your domains as they can open the backdoors for cybercriminals to launch phishing attacks.

Wildcard certificates can also cause outages

Managing wildcard certificates becomes especially challenging when a single certificate is being used across many websites or critical business infrastructure. I can’t tell you how many stories I’ve heard about machine identity professionals renewing a wildcard certificate and replacing it only on the systems they can remember. Invariably, there is always a system that didn’t make the list, and when the original wildcard certificate expires the system that wasn't updated goes down.

As Walter Goulet, product manager for Venafi, mentioned in a previous blog, “when a wildcard certificate is deployed widely, there is an inability to schedule expiration rates around high traffic usage periods of business-critical infrastructure. As a result, when that wildcard certificate nears expiration, you need to coordinate renewal and installation on all systems that are using that certificate at the same time, or at least start the renewal and replacement process well before the certificate expires which reduces the effective lifetime of the wildcard certificate.”

So much for the idea of easier management! It seems convenient at first, but is not-so-great when the time comes to untangle the web at renewal.

The final verdict

Frankly speaking, the cons of using one security certificate to secure multiple domains largely outweigh any superficial benefits.

In today’s fast-changing business landscape, data is the most valued currency for every business. A single SSL certificate doesn’t give you the assurance of tightly bolting your security gates against encryption misconfigurations and phishing attacks.

If you are a growing business that needs to add new subdomains to your website frequently— you should seriously consider investing in certificate management solutions to protect your business against certificate outages or other impending dangers. But even if you are a small business, does the over-reliance on one certificate justify your reasons to save costs? You be the judge.

Related Posts

Like this blog? We think you will love this.
what is an ssl certificate
Featured Blog

What is an X.509 Digital Certificate?

SSL/TLS certificates are X.509 certificates with Extended Key Usage: Server Authentication (1.3.6

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more