...
- http://www.entrust.com/wp-content/uploads/2013/05/WP_WildcardSSL_July2012.pdf
http://www.incommon.org/certificates/certpick.html
Q6. "I want to just get a single certificate that will work for all the systems in my domain, such as all hosts matching the pattern *.example.org"
That's called a wildcard server certificate. While InCommon offers them, we urge you to avoid using wildcard certificates whenever possible. To understand why, consider the following scenario:
A wildcard certificate is obtained for *.example.org and installed on numerous systems, including a security sensitive health care-related system, operationally critical teaching and learning management systems, the campus identity management system, and the campus student bridge club's server. Those systems have widely varying security profiles.
Assume the bridge club server, run by a volunteer with little or no server administration experience, ends up gets compromised and the wildcard certificate and its associated private key gets stolen. This undercuts the security of all the other systems that rely on that certificate, and because the Bridge Club system was compromised, the wildcard certificate will need to be revoked and replaced on ALL systems using that wildcard cert. This can be a real potential "fire drill."
If you'd used system specific certificates, the compromise of a single system (such as the Bridge Club server) would have had no effect on the security of the other servers, and only that single private key and associated certificate would have needed to be replaced. Do yourself a favor and avoid wildcard certificates when you can.