Benefits of a wildcard vs per-subdomain certificates

For websites which dynamically generate subdomains (for example, if users can create their own subdomain for some service), installing a certificate for each new subdomain is far from ideal, because you need to verify the ownership of the domain for each subdomain, followed by the installing of the certificate for each subdomain (which typically also requires a reboot of the web server).

In addition to activating new subdomains, managing many certificates (each with its own expiration date) quickly becomes a major hassle. All in all, this constitutes an increased complexity at the cost of no extra security.

So, in summary, the advantage of a wildcard certificate is in the lower administrative burden.


Additional point to consider is that all certificates issued by Let's Encrypt (and by other issuers) can be viewed in Certificate Transparency logs, so if you issue certificates without using wildcards, all your subdomains can be easily enumerated by anyone.

It isn't always a problem, but in some cases it can make attacker's life easier. For example, it can help him discover some hidden services, like repository, build server, etc.

crt.sh is an example of the site which provides these logs.