diff --git a/default.nix b/default.nix
index 3abdfbc..6bd499c 100644
--- a/default.nix
+++ b/default.nix
@@ -675,6 +675,19 @@ in
       '';
     };
 
+    acmeCertificateName = mkOption {
+      type = types.str;
+      default = cfg.fqdn;
+      example = "example.com";
+      description = ''
+          ({option}`mailserver.certificateScheme` == `acme`)
+
+        When the `acme` `certificateScheme` is selected, you can use this option
+        to override the default certificate name. This is useful if you've
+        generated a wildcard certificate, for example.
+      '';
+    };
+
     enableImap = mkOption {
       type = types.bool;
       default = true;
diff --git a/mail-server/assertions.nix b/mail-server/assertions.nix
index d2c44ea..2b4b262 100644
--- a/mail-server/assertions.nix
+++ b/mail-server/assertions.nix
@@ -13,5 +13,10 @@
       assertion = config.mailserver.forwards == {};
       message = "When the LDAP support is enable (mailserver.ldap.enable = true), it is not possible to define mailserver.forwards";
     }
+  ] ++ lib.optionals (config.mailserver.certificateScheme != "acme") [
+    {
+      assertion = config.mailserver.acmeCertificateName == config.mailserver.fqdn;
+      message = "When the certificate scheme is not 'acme' (mailserver.certificateScheme != \"acme\"), it is not possible to define mailserver.acmeCertificateName";
+    }
   ];
 }
diff --git a/mail-server/common.nix b/mail-server/common.nix
index edea7f0..4e301c5 100644
--- a/mail-server/common.nix
+++ b/mail-server/common.nix
@@ -26,7 +26,7 @@ in
              else if cfg.certificateScheme == "selfsigned"
                   then "${cfg.certificateDirectory}/cert-${cfg.fqdn}.pem"
                   else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
-                       then "${config.security.acme.certs.${cfg.fqdn}.directory}/fullchain.pem"
+                       then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/fullchain.pem"
                        else throw "unknown certificate scheme";
 
   # key :: PATH
@@ -35,7 +35,7 @@ in
         else if cfg.certificateScheme == "selfsigned"
              then "${cfg.certificateDirectory}/key-${cfg.fqdn}.pem"
               else if cfg.certificateScheme == "acme" || cfg.certificateScheme == "acme-nginx"
-                   then "${config.security.acme.certs.${cfg.fqdn}.directory}/key.pem"
+                   then "${config.security.acme.certs.${cfg.acmeCertificateName}.directory}/key.pem"
                    else throw "unknown certificate scheme";
 
   passwordFiles = let
diff --git a/mail-server/nginx.nix b/mail-server/nginx.nix
index 4f0cb1a..a037f56 100644
--- a/mail-server/nginx.nix
+++ b/mail-server/nginx.nix
@@ -17,7 +17,7 @@
 
 { config, pkgs, lib, ... }:
 
-with (import ./common.nix { inherit config; });
+with (import ./common.nix { inherit config lib pkgs; });
 
 let
   cfg = config.mailserver;
@@ -34,7 +34,7 @@ in
       };
     };
 
-    security.acme.certs."${cfg.fqdn}".reloadServices = [
+    security.acme.certs."${cfg.acmeCertificateName}".reloadServices = [
       "postfix.service"
       "dovecot2.service"
     ];