Comment by gruez
>Wildcard certs are not sufficient here because they don't support nested wildcards
How many levels of dots do you need?
>I'd rather not give some rando vibecoded nodejs app the same certificate that I use to handle auth.
Use a reverse proxy to handle TLS instead?
I want to give every device its own certificate to authenticate it with others via headscale to facilitate web development collaboration and authenticate remote management. I want to have a lightweight forward proxy in a semi-trusted remote VPS to proxy email at a particular domain down to my local mail server. I want to delegate maintenance of some application to a particular department. I want microservices run by different teams to communicate via authenticated TLS. I want to run web services in my mars data center without wasting precious bandwidth on thousands of redundant ACME requests. Etc, etc, etc.
In all of these cases it would be idiotic to distribute the same wildcard cert to each host. And please don't say "you just shouldn't want to do that".