Clarification on SNI usage with wildcard vs single-domain certificates

[vjmax]

Hi team,

I’d like to confirm my understanding of how Warpgate handles TLS certificate selection with SNI when using wildcard or single-domain certificates.

Scenario

• My external_host is set to: wg.mycompany.com
• I want to expose multiple targets using subdomains like:
  • git.wg.mycompany.com
  • my.wg.mycompany.com

Certificate Setup & Questions

1. If I use a wildcard certificate for *.wg.mycompany.com, can I bind all these subdomains without configuring http.sni_certificates?

   → My understanding is that the default wildcard cert will match all subdomains, and therefore SNI setup is not required.

2. If I use individual certificates for each subdomain (e.g. git.wg.mycompany.com, my.wg.mycompany.com), then I must define each one in http.sni_certificates, otherwise TLS will fallback to the default cert and likely cause a domain mismatch warning.

   → Is this understanding correct?

Just looking to confirm best practices for managing multiple HTTPS-bound targets with different domain strategies.

Thanks for the great project and support!

[Eugeny]

1. Yes - you can use a wildcard certificate as the only certificate (or a fallback certificate with SNI) and it will work.
2. Yes, individual certificates have to be listed individually in http.sni_certificates