Is a Wildcard SAN certificate possible?

Yes, it's certainly technically possible. For instance, the cetrtificate for Microsoft Outlook Web Access (https://outlook.office365.com) was issued to outlook.com, and has a combination of wildcarded and non-wildcarded names in the SAN section:

DNS Name=outlook.com
DNS Name=*.outlook.com
DNS Name=office365.com
DNS Name=*.office365.com
DNS Name=*.live.com
DNS Name=*.internal.outlook.com
DNS Name=*.outlook.office365.com
DNS Name=outlook.office.com
DNS Name=attachment.outlook.office.net
DNS Name=attachment.outlook.officeppe.net

Of course, as pointed out above, this cert was issued by Microsoft themselves, so they can pretty much do what they want.


I assume you use want to use the certificate for HTTP. In this case you need to look at RFC 2818. This RFC clearly defines that common name should only be used if no subject alternative names are configured, but it allows wildcards certificates in the SAN extension. So it should be possible to combine several non-wildcard and wildcard certificates inside the SAN part of the certificate.

It looks like various CAs have different policies about creating certificates mixing wildcard and non-wildcard: While Thawte argues that mixing is not possible (https://community.thawte.com/blog-posts/difference-between-wildcard-ssl-vs-san-certificate) DigiCert propagates it as the best of both worlds (http://www.digicert.com/ssl-support/wildcard-san-names.htm). So it seems to be more a limitation of the CAs and not of the browsers and definitely not of the standard.