A frequent request we get from new customers is:
Can I have a wildcard EV certificate?
The short answer: No. The rules for EV certificates, made by the browser vendors and CAs, prevent CAs from issuing EV certificates for wildcards.
OK, but why can't I have a wildcard EV certificate?
Excellent question. If you read around the Internet, you'll get answers like this from Network Solutions :
in order to ensure that EV HTTPS Certificates are not issued fraudulently or misused after issuance
Wow. That was incredibly vague. Let's be specific:
Server names are evaluated from left to right - eg, bankofamerica.com is 'bankofamerica' which is underneath 'com' (the 'commercial' domain name). Email phishing attacks typically use hosts which looks like they're in one domain, but actually under another. Think of
bankofamerica.com-fraud.ph. In this case 'bankofamerica' is underneath 'com-fraud.ph', which is located in the Philipines.
With DV certificates
com-fraud.phapplies for and receives a wildcard SSL certificate for
*.com-fraud.ph. The CA confirms they are really the domain
- A short time later,
com-fraud.phadds a host (server) under
com-fraud.phsends out emails directing people to visit
- Browsers dutifully show https:// in green, since the web users has an encrypted connection going straight to the bad guys at
There are no wildcard certificates for EV certificates. So:
- All the servers in the certificate are explicitly mentioned. The CA (who verifies the identity) also ensures that all the server names (properly called Subject Alt Names) actually belong to the company being verified. New server names can be added to the certificate later for a small fee, and these are also reviewed by the CA.
- You won't ever see bankofamerica.com-fraud.ph with an EV certificate, because the application for the fraudulent subdomain would be reviewed by a CA, that flag the fraud attempt and not validate or sign the certificate.
Hence: it's hard for scammers to do phishing with EV certificates.
Coincidentally: Bank of America now uses an EV certificate, as do most banks.