> Rather than issuing individual certificates for every internal host, a wildcard for something like *.int.example.com covers everything under that subdomain.
Congrats now one host is compromised and the certificate for the entirety of your private infrastructure is leaked.