config/ssl: Clarify how TLS certificates are matched.

Author: cmouse

docs/core/config/ssl.md

@@ -222,6 +222,14 @@ It is important to note that having multiple SSL certificates per IP will
 not be compatible with all clients, especially mobile ones. It is a TLS
 SNI limitation.
 
+To use wildcard certificates, please note that `*` will only apply to the
+label only, this is not a limitation in Dovecot, but in TLS generally. This
+means that while `*.example.org` matches `mail.example.org`, but will not match
+`int.mail.example.org`.
+
+Another important to note is that [[setting,local_name]] ordering matters. You
+must specify wildcard certificate first, followed by any more specific names.
+
 ```[dovecot.conf]
 local_name imap.example.org {
   ssl_server_cert_file = /etc/ssl/certs/imap.example.org.crt