Wildcard certificates are only valid for the subdomain level directly under it. [1]
If I get a wildcard certificate for example.com (the common name is set to *.example.com), foo.bar.example.com will throw an error.
The specification isn't particularly clear, but it seems to me that RFC 2818 section 3.1 [1] could permit some dangerously broad wildcards like ".com", "www..com", or even ".". Combined with subject alternate names, it may be possible to create a certificate that's valid for almost anything.
IIRC, top-level and "match all" wildcard certificates were originally permitted by design (e.g., for intranet and proxy applications), but most modern browsers block them for security reasons.
