Wildcard for second level subdomain

You can have Subject Alternative Names or SANs in the certificate for named domains: https://geekflare.com/san-ssl-certificate/

Certificate Signing Request or CSR generation would be something like this:

openssl req -new -key my.key -out my.csr -subj "/CN=*.domain.com" -addext "subjectAltName=DNS:one.complex.domain.com,DNS:completely.another.domain.com"

More details here: https://stackoverflow.com/a/16127802/339052

Source: http://docs.aws.amazon.com/acm/latest/userguide/acm-certificate.html

Wildcard Names ACM allows you to use an asterisk (*) in the domain name to create an ACM Certificate containing a wildcard name that can protect several sites in the same domain. For example, *.example.com protects www.example.com and images.example.com.

Note: When you request a wildcard certificate, the asterisk (*) must be in the leftmost position of the domain name and can protect only one subdomain level. For example, *.example.com can protect login.example.com and test.example.com, but it cannot protect test.login.example.com. Also note that *.example.com protects only the subdomains of example.com, it does not protect the bare or apex domain (example.com). However, you can request a certificate that protects a bare or apex domain and its subdomains by specifying multiple domain names in your request. For example, you can request a certificate that protects example.com and *.example.com.

Unfortunately this is not possible/supported.

For those who are having issues for multiple sub domain in their certificate.

Source: https://aws.amazon.com/premiumsupport/knowledge-center/associate-ssl-certificates-cloudfront/

You can't associate more than one SSL or Transport Layer Security (TLS) certificate to an individual CloudFront distribution. However, certificates provided by AWS Certificate Manager (ACM) support up to 10 subject alternative names, including wildcards. To enable SSL or HTTPS for multiple domains served through one CloudFront distribution, assign a certificate from ACM that includes all the required domains.

To use your own SSL certificate for multiple domain names with CloudFront, import your certificate into ACM or the AWS Identity and Access Management (IAM) certificate store. For instructions, see Importing an SSL/TLS Certificate.