CloudStick is a server control panel for developers and agencies that lets you manage cloud servers on AWS, DigitalOcean, Vultr, Linode, and Hetzner without using the command line. Plans start at $9/month — the Basic plan covers 1 server with unlimited websites; Pro at $19/month and Business at $49/month cover unlimited servers.

Will features I pay for ever get moved to a higher plan?

No. CloudStick is committed to keeping all features you currently pay for within your existing plan. New features may be added to higher tiers, but existing plan features will never be removed or require a forced upgrade.

What happens to my servers if I cancel CloudStick?

Your servers remain fully operational after cancellation. CloudStick does not host your servers — it manages them. If you cancel, you lose access to the CloudStick dashboard, but your servers continue running on your cloud provider.

Is there a free trial for CloudStick?

Yes. CloudStick offers a 7-day free trial on all paid plans with no credit card required. You can explore every feature and upgrade, downgrade, or cancel at any time during or after the trial.

SSL & SECURITY

Jun 24, 2026

How to Install a Wildcard SSL Certificate

9 min read

CloudStick Team

Security Specialist

Share this article

How to Install a Wildcard SSL Certificate

One cert, all subdomains

What Is a Wildcard SSL Certificate?

A wildcard SSL certificate covers a root domain and all first-level subdomains with a single certificate. The subject alternative name is written as *.yourdomain.com, which matches app.yourdomain.com, api.yourdomain.com, staging.yourdomain.com, and any other first-level subdomain. It does not cover yourdomain.com itself (the apex domain), so most wildcard certificates are issued for both *.yourdomain.com and yourdomain.com.

Let's Encrypt issues free wildcard certificates. The catch: they require the DNS-01 challenge instead of the HTTP-01 challenge used for single-domain certificates. DNS-01 requires you to create a specific TXT record in your DNS zone to prove domain ownership — you can't just drop a file in a webroot. This makes wildcard certificates slightly more involved to issue and renew, but they're fully automatable through DNS provider APIs.

When to Use a Wildcard vs. Individual Certificates

Use a wildcard certificate when you have three or more subdomains that all need HTTPS, or when you're creating subdomains dynamically (e.g. per-customer subdomains for a SaaS app). Individual per-domain certificates are simpler to issue and renew (HTTP-01 challenge, no DNS API required) and are the right choice for a small number of fixed domains. The key tradeoff: wildcard certificates mean a single compromised private key exposes all subdomains simultaneously, versus a smaller blast radius with individual certs. For most web applications, the management simplicity of a wildcard outweighs this.

PREREQUISITE

To automate wildcard renewal, your DNS provider must support an API that Certbot can use (via a DNS plugin). Supported providers include Cloudflare, Route53, DigitalOcean, and many others. Manual DNS-01 is possible but requires editing a TXT record every 90 days — not sustainable for production.

How the DNS-01 Challenge Works

The DNS-01 challenge asks you to prove you control the domain by placing a specific TXT record at _acme-challenge.yourdomain.com. Let's Encrypt checks this record over DNS (not HTTP), which is why it works for IP addresses that aren't publicly accessible and for wildcard certificates. Certbot's DNS plugins automate this by making API calls to your DNS provider.

# Manual DNS-01 (for understanding the process)
# Let's Encrypt asks you to add this TXT record:
Name:  _acme-challenge.yourdomain.com
Type:  TXT
Value: <challenge-token-provided-by-certbot>
# After adding, Let's Encrypt verifies and issues the certificate
# For production: use Cloudflare DNS plugin for automation

Issue a Wildcard Certificate with Cloudflare DNS Plugin

If your DNS is on Cloudflare, the Certbot Cloudflare plugin handles the TXT record automatically during both issuance and renewal. Install it and create an API token with Zone DNS Edit permissions:

# Install the Certbot Cloudflare DNS plugin
sudo snap install certbot-dns-cloudflare
# Create the credentials file
sudo mkdir -p /root/.secrets
sudo nano /root/.secrets/cloudflare.ini
# File contents (use scoped API token, not global key):
dns_cloudflare_api_token = YOUR_CLOUDFLARE_API_TOKEN
# Secure the credentials file
sudo chmod 600 /root/.secrets/cloudflare.ini
# Issue the wildcard certificate
sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials /root/.secrets/cloudflare.ini \
  -d yourdomain.com -d "*.yourdomain.com" \
  --email admin@yourdomain.com --agree-tos --no-eff-email

Deploy and Verify

The certificate files land in /etc/letsencrypt/live/yourdomain.com/ as usual. Use the same fullchain.pem and privkey.pem in every Nginx server block that needs SSL — for yourdomain.com, app.yourdomain.com, and any other subdomain. You don't need separate certificate files per subdomain with a wildcard.

# Verify both apex and subdomain are covered
openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -subject -ext subjectAltName
# Expected output includes both:
DNS:yourdomain.com, DNS:*.yourdomain.com

Wildcard SSL in CloudStick

CloudStick supports wildcard certificates natively. When you create a website on a CloudStick-managed server and your DNS is connected through the Cloudflare integration, you can enable a wildcard certificate from the SSL panel with a single click. CloudStick handles the DNS-01 challenge via the Cloudflare API, deploys the certificate across all relevant Nginx vhosts for that domain, and schedules auto-renewal using the same DNS plugin approach described above. No terminal commands, no credential files to manage manually.

For agencies managing client servers, CloudStick's wildcard SSL is particularly valuable for client sites that use subdomains for staging or user portals — the certificate management burden drops to zero per subdomain once the wildcard is in place.