A friend asked:
If I bought a wildcard certificate for .domain.com, wouldn't that cover .sub.domain.com?
Hrm...I had to look that one up. The answer is: no, not accorindg to the RFC. RFC 2818 states:
Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character which is considered to match any single domain name component or component fragment. E.g., \.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.
more here: http://www.ietf.org/rfc/rfc2818.txt
There are reports that older versions of Firefox don't complain when encountering an out of spec sub-domain SSL wild-card but IE would. I would recommending sticking with the RFC spec.