Why do wildcard certificates cause a name mismatch on second level subdomains?

Question

Why do wildcard certificates cause a name mismatch on second level subdomains?
For example, a certificate for *.example.com doesn't protect subdomain.subdomain.example.com.

Answer

This is normal behavior, as defined in RFC 2818, 3.1. Server Identity:

Names may contain the wildcard character '*' which is considered to match any single domain name component or component fragment. E.g., '*.a.com' matches 'foo.a.com' but not 'bar.foo.a.com'.

In other words, the asterisk can only stand for one field, and the certificate can only have one asterisk. That means the same certificate for example.com can't cover a two-level subdomain like subdomain.subdomain.example.com.

Workaround

As a workaround, create a wildcard certificate for the first level of the subdomain:

1. Add subdomain.example.com with the Add Domain button (not the Add Subdomain button): How to add a domain in Plesk
2. Issue a wildcard certificate for subdomain.example.com

The new certificate will cover the second level subdomain.