A certificate can have an effectively unlimited (CAs impose an arbitrary limit like 100, nobody is sure the maximum that could work) number of names listed (the subscriber will have to achieve proof of control for all these names to get the cert).
Each name can either be an exact fully qualified domain name, and will match only that single name, or it can be a "wildcard" like *.example.com which matches any DNS name with exactly one label (a part with no dots in, essentially) where the asterisk is and the rest an exact match.
Thus, a wildcard in com, even if it could exist (it is forbidden to issue such a thing) would not match service.example.com only the exact name example.com itself.
A certificate can have an effectively unlimited (CAs impose an arbitrary limit like 100, nobody is sure the maximum that could work) number of names listed (the subscriber will have to achieve proof of control for all these names to get the cert).
Each name can either be an exact fully qualified domain name, and will match only that single name, or it can be a "wildcard" like *.example.com which matches any DNS name with exactly one label (a part with no dots in, essentially) where the asterisk is and the rest an exact match.
Thus, a wildcard in com, even if it could exist (it is forbidden to issue such a thing) would not match service.example.com only the exact name example.com itself.