Does wildcard order in certificate matter?

Does wildcard need to be in SAN or can it be the main domain name, for it to reliably work across different clients?

(I accidentally generated a certificate with the wildcard as the main domain, not SAN)

Thank you!


CN (which I guess is what you mean by main domain) is deprecated and will disappear eventually.

The only clients that have trouble with SAN/CN order that I can think of are really old versions of Outlook. I’m not aware of any others.


Thanks - good to know!

I meant CN. (I see both are listed in the actual cert:
Not Critical
DNS Name: *
DNS Name:

SSLabs ssltest gave me an A, which I concluded meant no real problems, but I wanted to check.

I was referring to the field name output by I flipped the fields trying to debug/resolve what turned out to be an unrelated problem:

Main_Domain KeyLength SAN_Domains Created Renew
* “” Mon May 20 02:41:13 UTC 2019 Fri Jul 19 02:41:13 UTC 2019 “” * Mon May 20 02:27:52 UTC 2019 Fri Jul 19 02:27:52 UTC 2019

Which BTW generates the oddest directory name for the cert files I have ever seen since using Unix/Linux since the 80s: ‘*’ (including the quotes). This ugliness alone is a good reason to assign the root domain to the CN…

(I wasted renewals testing when I couldn’t use --staging to debug, so am dangerously close to my weekly quota, if not there already.)

Take note of this text from's README:

After the cert is generated, you probably want to install/copy the cert to your Apache/Nginx or other servers. You MUST use this command to copy the certs to the target files, DO NOT use the certs files in ~/ folder, they are for internal use only, the folder structure may change in the future

Use --install-cert and avoid the naming hell.


Thank you for pointing this out. I definitely used that (and my original problem was an error in the install arguments like “–cert-file” etc.)

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.