Why Wildcard Certificates Are a Security Risk
Shared identity is not efficiency – it's risk concentration
March 30, 2026 · [cyphrs] Team · 10 min read
The Comfort of Simplicity
For years, wildcard certificates have been the quiet default of TLS management. One certificate. One renewal. One configuration. On the surface, it feels like operational efficiency.
Instead of managing dozens - or hundreds - of certificates, teams collapse everything into a single wildcard:
*.company.com Fewer moving parts. Less overhead. Simpler systems. But that simplicity comes at a cost most teams don't see until something breaks.
What Simplification Actually Does
Wildcard certificates don't just reduce complexity. They restructure your trust model. Instead of independent services with isolated identity, you get a single certificate, a single private key, a single renewal cycle, and a single validation event - shared across every service under that domain.
What were once separate systems become cryptographically coupled. Simplification turns isolated failures into systemic risk.
The Failure Most Teams Don't Plan For
Everything is working. Five services, one wildcard, zero complaints. Until renewal.
ACME attempts to renew the certificate. A DNS record is misconfigured. A validation token hasn't propagated. An automation job fails silently.
The certificate is not reissued.
What Happens Next
Not one service fails. All of them do.
This isn't a configuration issue. It's an architectural failure.
Blast Radius in Action
In security terms, blast radius describes how much of your system is impacted when one component fails. Wildcard certificates amplify blast radius by design.
| Single Point of Failure | Consequence |
|---|---|
| One key compromise | Full domain impersonation |
| One renewal failure | Multi-service outage |
| One revocation | Platform-wide disruption |
You don't have multiple services anymore. You have one failure domain.
The Deeper Problem: Failure Coupling
The real issue isn't just shared certificates. It's what they create: failure coupling. Independent systems are forced to fail together. APIs depend on frontend TLS. Payments depend on admin validation. Internal services depend on public DNS. All tied to the same cryptographic lifecycle.
What looked like simplification becomes:
Tightly coupled systems - services that should be independent share a single cryptographic identity
Synchronized failure conditions - when one fails, all fail, at the same time, for the same reason
Systemic operational risk - the blast radius of any incident is, by definition, total
Why This Model No Longer Works
Wildcard certificates made sense in a different era: static infrastructure, few services, manual operations, perimeter-based security. Modern systems are none of these things.
Static infrastructure
Few services
Manual operations
Perimeter-based security
Distributed
Dynamic
Service-oriented
Zero-trust driven
In this world, shared identity is not efficiency - it's risk concentration.
What Modern Systems Do Instead
At scale, leading engineering organisations have already moved away from this model. They don't share certificates. They distribute trust.
1. Per-Service Certificates
Each service has its own identity. One service, one certificate. One key, one boundary. A failure stays contained.
api.company.com auth.company.com payments.company.com 2. Automated Issuance (ACME)
Certificates are issued automatically, renewed automatically, deployed automatically. No manual processes. No shared dependencies.
3. Short-Lived Certificates
Instead of long lifetimes, certificates expire in days - or hours. If a key is compromised, it becomes useless quickly. The window of exposure shrinks from months to minutes.
4. Internal Identity (Private CA)
Public certificates are not used inside systems. Instead, internal Certificate Authorities issue service identity. Trust is defined by policy, not DNS. Issuance is instant, revocation is real-time, and there is zero dependency on external validation infrastructure.
5. mTLS Enforcement
Every service proves its identity. Every service verifies the identity of others. No implicit trust. This is the natural endpoint of per-service identity - and it is only possible when you control your own certificate issuance.
The Shift: From Certificates to Trust Architecture
This is the key insight most teams miss: the problem isn't certificate management. It's how trust is structured.
Shared
Implicit
Perimeter-based
Granular
Explicit
Enforced
A Better Model: Separate Trust by Domain
To fix this, trust needs to be split into three domains - each with its own authority, its own lifecycle, and its own failure boundary.
Public Trust
Certificates for external access, automated via ACME. Browser-facing endpoints only.
Private Identity
Certificates for internal systems, issued by a controlled CA. Policy-driven, zero external dependency.
Machine Trust
How systems authenticate each other, enforced via mTLS. Cryptographic proof, not implicit trust.
Why This Matters to the Business
This isn't just a technical refinement. It directly impacts the metrics that matter.
Availability - reduces risk of multi-service outages by isolating certificate lifecycles
Security - limits the blast radius of any single compromise to a single service boundary
Recovery - enables targeted remediation instead of full-system incident response
Compliance - aligns with least privilege and zero-trust principles by design
The Bottom Line
Wildcard certificates feel like simplification. But they don't remove complexity. They hide it - and concentrate the risk. One certificate becomes one failure domain.
Modern systems take the opposite approach: distribute trust, isolate failure, enforce identity.
The certificate that breaks your system isn't the one you manage. It's the one you didn't realise everything depends on.