Security News > 2021 > October > NSA warns of wildcard certificate risks, provides mitigations
In a document released last week, the agency provides mitigations against the risks that come with the use of wildcard certificates.
A wildcard digital certificate can be used with multiple subdomains on the same domain, so it can cover multiple servers, while a multi-domain certificate is used for multiple domains on a single IP address.
A target web application that uses TLS. another service/application that presents a valid TLS certificate with a subject name that would be valid for the targeted web app, such as when wildcard certificates are too broadly scoped.
The NSA also reminds organizations of the role wildcard certificates play in a trust architecture since they "Can be used to represent any system within its scope."
For this reason, they should ensure the protection of the private key of a wildcard certificate and keep it on a well-maintained server to avoid the risk of an attacker getting it by compromising a poorly-secured machine.
The NSA recommends organizations make sure that wildcard certificates are used responsibly and their scope within the organization is well understood.