nebari-dev · costrouc · Oct 20, 2021 · Oct 20, 2021 · Oct 20, 2021 · Oct 20, 2021
diff --git a/docs/source/installation/configuration.md b/docs/source/installation/configuration.md
@@ -120,6 +120,15 @@ kubectl create secret tls <secret-name> \
   --cert=path/to/cert/file --key=path/to/key/file
 ```
 
+### Wildcard certificates
+
+Some of QHub services might require special subdomains under your certificate, Wildcard certificates allow you to secure all subdomains of a domain with a single certificate. Defining a wildcard certificate decreases the amount of CN names you would need to define under the certificate configuration and reduces the chance of generating a wrong subdomain.
+
+**Note**
+It's not possible to request a double wildcard certificate for a domain (for example *.*.local.com). As a default behaviour of [Traefik](https://doc.traefik.io/traefik/https/tls/#default-certificate), if the Domain Name System (DNS) and Common Name (CN) name doesn't match, Traefik generates and uses a self-signed certificate. This may lead to some unexpected [TLS](https://www.internetsociety.org/deploy360/tls/basics) issues, so as an alternative of including each specific domain under the certificate CN list, you may also define a wildcard certificate.
+
+
+
 ## Security
 
 This section is for configuring security relating to the QHub