Why can't I get a wildcard EV certificate?

The short answer: bankofamerica.com-fraud.ph

By Mike on 15th March 2015

A frequent request we get from new customers is:

Can I have a wildcard EV certificate?

The short answer: No. The rules for EV certificates, made by the browser vendors and CAs, prevent CAs from issuing EV certificates for wildcards.

OK, but why can't I have a wildcard EV certificate?

Excellent question. If you read around the Internet, you'll get answers like this from Network Solutions :

in order to ensure that EV HTTPS Certificates are not issued fraudulently or misused after issuance

Wow. That was incredibly vague. Let's be specific:

Server names are evaluated from left to right - eg, bankofamerica.com is 'bankofamerica' which is underneath 'com' (the 'commercial' domain name). Email phishing attacks typically use hosts which looks like they're in one domain, but actually under another. Think of bankofamerica.com-fraud.ph. In this case 'bankofamerica' is underneath 'com-fraud.ph', which is located in the Philipines.

With DV certificates

With EV

There are no wildcard certificates for EV certificates. So:

Hence: it's hard for scammers to do phishing with EV certificates.

Coincidentally: Bank of America now uses an EV certificate, as do most banks.

Mike MacCana, founder at CertSimple.

CertSimple makes EV HTTPS fast and painless.

An EV HTTPS certificate verifies the company behind your website. But getting verified is a slow painful process. CertSimple provides EV HTTPS certificates 40x faster than other vendors. We check your company registration, network details, physical address and flag common errors before you pay us, provide verification steps specific for your company, update in realtime during the process, and even check your infrastructure to help you set up HTTPS securely.
Verify your site now!