Can A Wildcard Certificate Be Issued With Extended Validation (EV)?

Wildcard domains cannot use extended validation. It is prohibited by the CA/Browser Forum’s guidelines for Extended Validation (EV) certificates.

The same properties that make wildcards very useful can also create security concerns, and each item contained in an EV certificate must be individually vetted. EVs therefore require a unique identifier for each item.

All Certification Authorities may only issue EV SSL certificates to entities or organizations that satisfy the EV requirements.

However, a common workaround, if EV with multiple subdomains is desired, is to purchase an EV UCC and spell out each entity in the certificate like so:

  • domain.com
  • www.domain.com
  • mail.domain.com
  • …etc.domain.com

This will have a similar effect of a wildcard while displaying the EV company name in the browser address window.

Finally, another option would be to get an EV SSL for the main domain (it comes with the www subdomain as well) which will show the company name in the browser address bar, and then get a wildcard SSL or UCC (SAN SSL) for the other subdomains and domains. The company name will not be displayed for the 2nd certificate.