A TLS certificate that secures a domain and all its subdomains with a single cert. Instead of *.example.com requiring separate certs for mail.example.com, api.example.com, etc., one wildcard covers them all.
Wildcards scale poorly beyond one level of subdomain depth. *.example.com covers sub.example.com but not deep.sub.example.com. You need a separate cert for that. Many registrars and CAs push multi-domain (SAN) certificates instead because they're better marketed, not because they're technically superior—they're just easier to sell.
Wildcards matter if you're spinning up infrastructure fast, proxying traffic through subdomains, or running services where subdomain cardinality is high or unpredictable. Let's Encrypt issues them free. Self-signed wildcards cost nothing either. The catch: browsers will scream at self-signed certs, and ACME validation (DNS or HTTP) requires you to prove control of the base domain each renewal.
For bulletproof setups: wildcard + DNSSEC + CAA records that whitelist only your CA = harder to hijack. CAA records especially: they tell CAs "only issue from this list." No CAA = any CA can issue for your domain.