What kind of problems would there be with the wildcard certs in your environment?
I reviewed my notes from the conversation we had. The problem is this ....
Users of a particular application have been told they can refer to the application in the URL as 'blah' where the fully qualified domain is 'blah.company.com'. Many of them open IE type 'blah' and they're at the login page. They like this, as opposed to opening a bookmark, or finding the link on our corporate inranet page.
So the problem is that a wildcard (*.company.com) would not cover 'blah'.
On the other hand, the owner of that application has already said that SSH is important and while it would be nice to preserve the 'blah' functionality, if we can't do it then .. oh well.