I've scoured the web for a clear and concise answer to my SSL question, but to no avail. So here goes:

I have a web-service requiring SSL support for authentication pages. The root-level domain does not have the "www" - i.e., secure://domain.com - but localized pages use "language-code.domain.com", i.e. secure://ja.domain.com

So I need at least a wildcard SSL certificate that supports secure://*.domain.com

However, we also have a public sandbox environment at sandbox.domain.com, which we also need to support under localized domains - so secure://ja.sandbox.domain.com needs to also work.

The previous admin managed to purchase a wildcard SSL certificate for .domain.com, but with a Subject Alternative Name for "domain.com". So, I'm thinking of trying to get a wildcard certificate with SANs defined as "domain.com" and ".*.domain.com".

But now I'm getting confused because there seem to be separate SAN certificates, also called UCC certificates.

Can someone clarify whether it's possible to get a wildcard certificate with additional SAN fields, and ultimately what the best way is to support:

secure://domain.com secure://.domain.com secure://.*.domain.com

with the fewest (and cheapest!) number of SSL certificates?

Thanks!