Why a Wildcard Certificate Does Not Cover the Apex Domain
Understand why a wildcard certificate like *.example.com does not cover example.com itself, why it also misses deeper subdomains, and how exact SAN entries fix hostname mismatch errors.
One of the most common certificate misunderstandings is assuming that a wildcard automatically covers the root, or apex, domain.
It does not.
If a certificate contains *.example.com, that does not mean it also covers example.com.
The short rule
A wildcard certificate matches subdomains, not the bare apex name.
Current RFC 6125 matching rules say a wildcard only matches the left-most label in the hostname. In practical terms:
*.example.commatcheswww.example.com*.example.commatchesapi.example.com*.example.comdoes not matchexample.com*.example.comdoes not matcha.b.example.com
That is the root of the issue.
Why operators get surprised by this
People often think of the apex and the www host as "basically the same site."
Operationally they may route to the same place, but certificate matching does not care about that intent. It cares about the hostname presented during TLS.
So a certificate can be perfect for:
www.example.comapp.example.comcdn.example.com
while still failing on:
example.com
That creates a classic hostname mismatch error on the exact name many users actually type first.
The exact-name requirement
Current NGINX HTTPS documentation shows the right mental model clearly by giving an example certificate that includes both:
example.org*.example.org
That is the pattern to remember.
If you need both the apex domain and wildcard coverage for one level of subdomains, the certificate needs both identities, typically through exact and wildcard Subject Alternative Name entries.
Why this also fails for deeper subdomains
The wildcard limitation is not only about the apex.
RFC 6125 also makes clear that the wildcard matches a single left-most label, not multiple nested labels.
So:
*.example.commatchesapi.example.com*.example.comdoes not matchadmin.api.example.com
This matters in environments where operators start with a simple wildcard and later add another subdomain layer without rethinking certificate coverage.
Why this belongs in the domain/TLS workflow
Domain lookup helps you see which hostnames are actually in play:
- apex domain
www- app hostnames
- mail or API hostnames
That matters because the certificate may be correct for one hostname and wrong for another, even when they all route to the same service.
This is also why hostname errors are often better understood as naming and coverage problems rather than as pure "SSL broke" problems.
What to check first
1. Check the exact hostname that fails
Do not summarize the issue as "the domain" failing.
Check whether the failing name is:
- the apex
- a one-level subdomain
- a deeper nested subdomain
2. Check the certificate names, not just the common label you remember
Modern matching is about the actual identities in the certificate, especially the SAN list.
3. Check whether you need both exact and wildcard coverage
If the site must answer on both example.com and *.example.com, treat those as separate coverage needs.
4. Check redirects carefully
Sometimes the apex redirects to www, but the TLS handshake still happens on the apex first. If the apex is not covered, the redirect does not save the connection.
The practical fix
If you need the certificate to cover both the apex and wildcard subdomains, request a certificate that includes:
- the exact apex name
- the wildcard name
For example:
example.com*.example.com
That is the clean operational model.
Common misunderstandings
"The wildcard should cover everything under the domain, including the root"
No.
The apex is not a subdomain label under itself for certificate matching purposes.
"A redirect from apex to www means the wildcard is enough"
No.
TLS identity is checked before the browser can safely follow the redirect.
"If the certificate worked for one subdomain, it should work for every nested hostname too"
No.
Wildcard coverage is not infinite depth.
FAQ
Does *.example.com cover example.com?
No. A wildcard subdomain certificate does not cover the apex domain itself.
Does *.example.com cover a.b.example.com?
No. The wildcard matches a single left-most label, not multiple nested labels.
How do I cover both the apex and wildcard subdomains?
Use a certificate that includes both the exact apex name and the wildcard name in its identities.
Why does the redirect not fix the hostname mismatch?
Because certificate matching happens during the TLS handshake before the browser can safely rely on the redirect target.
Continue reading
Stay in the same investigation track with these closely related guides.
Tools mentioned in this article
Run the same diagnostics to follow along with the guide.