Can't get a double wildcard SSL cert


Our consul-domain is “” and we have a service “sometool”, and we have “dev/staging/prod” environments where the service an be deployed. I wanted to use Consul tags for the different environments. Thus the service could be found using the following names:

The issue is we get our certificates issued from CA, and we currently use one certificate for all services, thus we would need a double wildcard cert:

Unfortunately, this is not supported by the CA.

Is there any workaround to this? Can the tag come second?

For e.g.

Then we could have one certificate * and that would work across all our services.

Wildcard certificates only support one level of subdomain, e.g. * but not *.*

@number5 - you are right, they aren’t supported as I found out…and I should have check wikipedia.

I am wondering if the TAG part can be made to come second:
Then I can get a wildcard for: *

Instead of what it is now, which is: