Most teams pick a wildcard certificate the same way they pick coffee: whatever the team running the infrastructure happened to grab first. Then someone leaks the key, and you discover that one .pem file was authoritative for 200 subdomains, including the prod admin panel that was supposed to be on a separate trust boundary. The flip side is just as ugly. Teams that swore off wildcards end up with a 90-entry SAN certificate that nobody can renew without breaking three services and tripping a rate limit at Let's Encrypt. This is a blast-radius decision, not a cost decision. If you're still framing wildcard vs SAN as "save $200/year on certs," you haven't been on the wrong side of a key compromise yet. I have. We're going to walk through what actually breaks, where the thresholds sit, and what mature teams settle on after they've been burned by both.…