The simplest thing you can enter in the ‘Valid hosts this key is trusted to certify’ edit box is just a hostname wildcard such as ‘*.example.com’. This matches any host in any subdomain, so both ‘ssh.example.com’ and ‘login.dept.example.com’ would match, but ‘prod.example.net’ would not.
But you can also enter multiple host name wildcards, and port number ranges, and make complicated Boolean expressions out of them using the operators ‘&&’ for ‘and’, ‘||’ for ‘or’, ‘!’ for ‘not’, and parentheses.
For example, here are some other things you could enter.
*.foo.example.com || *.bar.example.com’. This means the CA is trusted to sign the host key for a connection if the host name matches ‘*.foo.example.com’ or it matches ‘*.bar.example.com’. In other words, the CA has authority over those two particular subdomains of example.com, but not for anything else, like www.example.com.
*.example.com && ! *.extrasecure.example.com’. This means the CA is trusted to sign the host key for a connection if the host name matches ‘*.example.com’ but does not match ‘*.extrasecure.example.com’. (Imagine if there was one top-secret set of servers in your company that the main IT department didn't have security clearance to administer.)
*.example.com && port:22’. This means the CA is trusted to sign the host key for a connection if the host name matches ‘*.example.com’ and the port number is 22. SSH servers running on other ports would not be covered.
(*.foo.example.com || *.bar.example.com) && port:0-1023’. This matches two subdomains of example.com, as before, but also restricts the port number to the range 0-1023.
A certificate configuration expression consists of one or more individual requirements which can each be a hostname wildcard, a single port number, or a port number range, combined together with these Boolean operators.
Unlike other languages such as C, there is no implied priority between ‘&&’ and ‘||’. If you write ‘A && B || C’ (where A, B and C are some particular requirements), then PuTTY will report a syntax error, because you haven't said which of the ‘&&’ and ‘||’ takes priority tightly. You will have to write either ‘(A && B) || C’, meaning ‘both of A and B, or alternatively just C’, or ‘A && (B || C)’ (‘A, and also at least one of B and C’), to make it clear.