Is it normal for two TLS certificates to be generated if I want to use a wildcard?

Willy · January 20, 2026, 6:43pm

Well, I’ve never bought premium TLS certificates that cost an annual fee for issuing them. I always thought that if I subscribed to a premium one instead of using Let’s Encrypt, I’d get a single TLS certificate that works for the main domain and all subdomains (the wildcard).

But when using Caddy, no matter how I organize the Caddyfile, it always generates two TLS files, one for the main domain and another separate one for the wildcard.

So my questions are:

Do premium certificate providers also issue two TLS certificates?
Is this a limitation of Caddy?
Is this a limitation of Let’s Encrypt because it’s free?

Bruce5051 · January 20, 2026, 7:50pm

Yes it is.

timelordx · January 20, 2026, 7:57pm

One certificate:

*.example.com {
...
}

Two certificates:

example.com, *.example.com {
...
}

*.example.com certificate does not cover example.com, so if you want example.com site as well, you need a cert for that. Usually, external CAs issue a certificate with both example.com and *.example.com in SAN field.

Willy · January 20, 2026, 7:57pm

Ok, but do premium certifiers issue 2 or only 1?

timelordx · January 20, 2026, 8:00pm

Either-or. It depends on how you carve your CSR.

Caddy doesn’t do multiple SANs. It only does one SAN per cert.

Willy · January 20, 2026, 8:00pm

Does that mean it’s possible to have just one certificate for both example.com and *.example.com? And isn’t there a way to do the same with Let’s Encrypt+caddy?

timelordx · January 20, 2026, 8:01pm

Not with Caddy. Caddy only does one SAN per cert.

Willy · January 20, 2026, 8:02pm

And Let’s Encrypt does support double SAN, right?

timelordx · January 20, 2026, 8:03pm

Yes

Willy · January 20, 2026, 8:05pm

And why doesn’t Caddy want to support double SAN? Is it difficult to implement?

timelordx · January 20, 2026, 8:07pm

You can search this forum for that