A frequent request we get from new customers is:
The short answer: No. The rules for EV certificates, made by the browser vendors and CAs, prevent CAs from issuing EV certificates for wildcards.
Excellent question. If you read around the Internet, you'll get answers like this from Network Solutions :
in order to ensure that EV HTTPS Certificates are not issued fraudulently or misused after issuance
Wow. That was incredibly vague. Let's be specific:
Server names are evaluated from left to right - eg, bankofamerica.com is 'bankofamerica' which is underneath 'com' (the 'commercial' domain name). Email phishing attacks typically use hosts which looks like they're in one domain, but actually under another. Think of
bankofamerica.com-fraud.ph. In this case 'bankofamerica' is underneath 'com-fraud.ph', which is located in the Philipines.
com-fraud.phapplies for and receives a wildcard SSL certificate for
*.com-fraud.ph. The CA confirms they are really the domain
com-fraud.phadds a host (server) under
com-fraud.phsends out emails directing people to visit
There are no wildcard certificates for EV certificates. So:
Hence: it's hard for scammers to do phishing with EV certificates.
Coincidentally: Bank of America now uses an EV certificate, as do most banks.
Mike MacCana, founder at CertSimple.
An EV HTTPS certificate verifies the company behind your website. But getting verified is a slow painful process. CertSimple provides EV HTTPS certificates 40x faster than other vendors. We check your company registration, network details, physical address and flag common errors before you pay us, provide verification steps specific for your company, update in realtime during the process, and even check your infrastructure to help you set up HTTPS securely.
Verify your site now!