RFC2818 states:
If more than one identity of a given
type is present in the certificate
(e.g., more than one dNSName name, a
match in any one of the set is
considered acceptable.) Names may
contain the wildcard character * which
is considered to match any single
domain name component or component
fragment. E.g., *.a.com matches
foo.a.com but not bar.foo.a.com.
f*.com matches foo.com but not
bar.com.
Internet Explorer behaves in the way outlined by the RFC, where each level needs its own wildcarded certificate. Firefox is happy with a single *.domain.com where * matches anything in front of domain.com, including other.levels.domain.com, but will also handle the *.*.domain.com types as well.
So, to answer your question: it is possible, and supported by browsers.
Moreover, that explanation would imply that no company internal servers can have their identity verified, which does a lot more harm to security than good, since we'll all have to teach our users to ignore the security warnings in Chrome despite having dropped hundreds of dollars on a legit cert specifically to avoid that.
But they can't have their identity verified by a third party, no matter how expensive the certificate was.
Only one company can "own" contoso.com on the public internet, and that company can specify what server1.contoso.com is, and nobody else can.
DigiCert (or whoever) can verify that the certificate request for server1.contoso.com is coming from the same company that owns contoso.com and is therefore (probably) not a fraudulent request. They can also issue one certificate for server1.contoso.com and then no more.
Anyone can have contoso.local. Lots of people all at once. Digicert can't do anything to verify that you do or don't have servers by that name. And they can issue certificates to that name over and over again each to different people.
So the security warning is a genuine warning - Chrome cannot verify that this is the intended server1.contoso.local because the exact same certificate could be installed on a thousand computers called "server1.contoso.local" around the world.
If you're considering putting your credit card details into a site, a .local certificate should not reassure you much at all.
Apparently IE and FireFox have differing views on this, choosing to pretend that it is fine, when it actually isn't.
Make your server accessible by a real FQDN and buy a certificate for that instead.
Best Answer
I ran into this a few months back. You can buy a certificate for whatever you want! However a few things to keep in mind...
You cannot buy a wildcart cert for your third level domain and have it protect your fourth level domains, you have to secure the domains at each level of the domain name tree. In general the SSL providers won't restrict how many levels you can have though.
We had a wildcard cert for our third level domain name, something like *.us.mydomain.com which allowed us to secure our US resources, but we also needed one for our Polish resources so another cert for *.pl.mydomain.com was required.
Some of the providers may limit to what depth you can go though, but the browsers should all support it.