A wildcard SSL certificate for *.example.net will match sub.example.net but not sub.sub.example.net.
From RFC 2818:
Matching is performed using the matching rules specified by
RFC2459. If more than one identity of a given type is present in
the certificate (e.g., more than one dNSName name, a match in any one
of the set is considered acceptable.) Names may contain the wildcard
character*which is considered to match any single domain name
component or component fragment. E.g.,*.a.examplematchesfoo.a.examplebut
notbar.foo.a.example.f*.examplematchesfoo.examplebut notbar.example.