Certificates are used to prove the identity of a given domain. e.g., if you visit https://news.ycombinator.com (https), when your browser connects, the server offers a certificate that basically says “this is the certificate for news.ycombinator.com”. Your browser verified that the domain on the certificate is the same as the domain you’re visiting. If they’re different (or if there’s is something else wrong with the certificate like it expired), you are shown a warning that says “It may not be safe”.

Some sites have a multitude of domains and they don’t want to have a different certificate for each. Fortunately, there is a way to specify wildcard expressions in a certificate. For example, many SaaS tools where your account name is part of the domain (e.g., my company’s PagerDuty account is at opsevel.pagerduty.com). A certificate that could be provisioned would be for .pagerduty.com and that would work for all of their subdomains (one per customer).

This site invented a cute trick where they used wildcards to essentially match any* domain or arbitrarily deep level of subdomains. It literally is a certificate that could be used by any domain because its wildcards match everything. Of course, it provides no security because it’s vacuously passing.

Certificates list what website they are a certificate for. Wildcards are allowed in some cases. This certificate claims it certifies every website.

There's a mechanism called certificate chains that allows browsers to validate that the certificte actually has the authority it claims to have - obviously, this certificate would not pass that validation.