Website SSL Security - Understanding SAN Certificates

Understanding Subject Alternative Name (SAN) SSL Certificates

Zane Lucas

Every SSL Certificate has to state which website names it protects. The earliest SSL Certificates carried a single name in a field called the Common Name (CN), which limited each Certificate to one address.

Modern SSL Certificates use the Subject Alternative Name (SAN) field instead. That one change is what lets a single SSL Certificate secure many names at once.

The Subject Alternative Name (SAN) field is a list of names held inside the SSL Certificate. A browser will accept the SSL Certificate for any name on that list. This is the mechanism behind both Multi-Domain SSL Certificates and Wildcard SSL Certificates, and understanding it makes the difference between the two much clearer.

Trustico® offers Multi-Domain SSL Certificates that use the Subject Alternative Name (SAN) field to cover several names on one SSL Certificate. Explore Trustico® Multi-Domain SSL Certificates 🔗

The Subject Alternative Name (SAN) Field Explained

The Subject Alternative Name (SAN) field is an extension within the SSL Certificate that holds one or more names. Each name is a separate entry, and the SSL Certificate is valid for every entry it contains. One SSL Certificate might list example.com, www.example.com, and shop.example.com together.

The names are written into the SSL Certificate when it is issued. To cover an extra name on a Multi-Domain SSL Certificate, order an additional Subject Alternative Name (SAN) in your account, and Trustico® adds it to the existing SSL Certificate for the remainder of its validity.

The Common Name (CN), where it is still present, simply repeats one of the names already held in the Subject Alternative Name (SAN) field.

Browser Name Matching

When a browser connects to a site, it reads the SSL Certificate and looks for the requested name in the Subject Alternative Name (SAN) field. If the name is listed and the SSL Certificate is otherwise valid, the browser trusts it and opens an encrypted connection.

If the name is absent, the browser shows a name mismatch warning even when the SSL Certificate itself is genuine.

The browser also confirms that the SSL Certificate was issued by a trusted Certificate Authority (CA) and has not expired or been revoked. Trustico® provides SSL Certificates issued by the Certificate Authority (CA), so the names in the Subject Alternative Name (SAN) field are recognized by browsers everywhere. Learn About Name Mismatch Errors 🔗

Multi-Domain and Wildcard SSL Certificates

Two product types are built on the Subject Alternative Name (SAN) field, and they fill the list in different ways. A Multi-Domain SSL Certificate lists each name explicitly, which suits separate domains such as example.com, example.net, and example.org.

A Wildcard SSL Certificate places a single asterisk entry, such as *.example.com, in the Subject Alternative Name (SAN) field, which then matches every first-level subdomain of one domain. Many SSL Certificates combine both styles, listing several domains while using a wildcard entry for one of them. Learn About Wildcard SSL Certificates 🔗

Benefits of a Multi-Domain SSL Certificate

The practical appeal is consolidation. One Multi-Domain SSL Certificate replaces a stack of single-name Certificates, so there is one purchase, one validity period, and one installation to manage rather than many. The cost per name usually falls as more names are added.

Fewer SSL Certificates also means fewer chances to miss an expiry. A single SSL Certificate with every name on it is easier to track than a spread of separate Certificates expiring on different dates, which lowers the risk of a lapse taking a site offline.

Choosing a Multi-Domain SSL Certificate

Two choices matter most. The first is how many names you need to cover, because each product allows a different number of entries in the Subject Alternative Name (SAN) field, and extra names are usually added in blocks. Count the domains and subdomains you need before ordering.

The second is the validation level. Domain Validation (DV) confirms control of each name and issues quickly, Organization Validation (OV) adds a check of the business, and Extended Validation (EV) applies the strictest identity checks. Learn About Extended Validation (EV) SSL Certificates 🔗

Obtaining a Multi-Domain SSL Certificate From Trustico®

Ordering follows the same path as any SSL Certificate. Generate one Certificate Signing Request (CSR) for the primary name, list the additional names during the order, and complete Domain Control Validation (DCV) for each name before the Certificate Authority (CA) issues the SSL Certificate.

Trustico® provides Multi-Domain SSL Certificates across the Domain Validation (DV), Organization Validation (OV), and Extended Validation (EV) levels, with the SSL Certificate issued by the Certificate Authority (CA). Compare the range from the Trustico® Multi-Domain SSL Certificate Range 🔗

Back to Blog

Most Popular Questions

Frequently asked questions covering the Subject Alternative Name (SAN) field, how browsers match names, how Multi-Domain and Wildcard SSL Certificates use it, and how to order and extend a Multi-Domain SSL Certificate.

What Does the Subject Alternative Name (SAN) Field Do?

The Subject Alternative Name (SAN) field is a list of names held inside the SSL Certificate, and the SSL Certificate is valid for every name on that list. A browser will accept the SSL Certificate for any name the field contains, which is what lets one SSL Certificate secure many names.

How Does the Common Name (CN) Relate to the Subject Alternative Name (SAN) Field?

Early SSL Certificates carried a single name in the Common Name (CN) field, which limited each one to a single address. Where the Common Name (CN) is still present, it simply repeats one of the names already held in the Subject Alternative Name (SAN) field.

How Does a Browser Match a Name?

When a browser connects, it reads the SSL Certificate and looks for the requested name in the Subject Alternative Name (SAN) field. If the name is listed and the SSL Certificate is otherwise valid, the browser opens an encrypted connection, and if the name is absent it shows a name mismatch warning even when the SSL Certificate is genuine.

What Separates Multi-Domain from Wildcard Coverage?

A Multi-Domain SSL Certificate lists each name explicitly, which suits separate domains such as example.com, example.net, and example.org. A Wildcard SSL Certificate places a single asterisk entry such as *.example.com, which matches an unlimited number of subdomains at the wildcard level of one domain.

Can One SSL Certificate Combine Both Styles?

Many SSL Certificates combine both approaches, listing several domains while using a wildcard entry for one of them. This covers a mix of separate domains and the subdomains of a single domain on one SSL Certificate.

What Makes a Multi-Domain SSL Certificate Worthwhile?

One Multi-Domain SSL Certificate replaces a stack of single-name Certificates, leaving one purchase, one validity period, and one installation to manage, and the cost per name usually falls as more names are added. Fewer SSL Certificates also means fewer chances to miss an expiry.

How Many Names Can a Multi-Domain SSL Certificate Hold?

Each product allows a different number of entries in the Subject Alternative Name (SAN) field, and extra names are usually added in blocks. Count the domains and subdomains you need before ordering.

Which Validation Levels Are Available?

Domain Validation (DV) confirms control of each name and issues quickly, Organization Validation (OV) adds a check of the business, and Extended Validation (EV) applies the strictest identity checks. A Multi-Domain SSL Certificate is offered across all three levels.

How Does Someone Order a Multi-Domain SSL Certificate?

Generate one Certificate Signing Request (CSR) for the primary name, list the additional names during the order, and complete Domain Control Validation (DCV) for each name before the Certificate Authority (CA) issues the SSL Certificate. The names are written into the SSL Certificate when it is issued.

How Can Someone Add a Name Later?

To cover an extra name on a Multi-Domain SSL Certificate, order an additional Subject Alternative Name (SAN) in your account, and Trustico® adds it to the existing SSL Certificate for the remainder of its validity.

Stay Updated - Our RSS Feed

There's never a reason to miss a post! Subscribe to our Atom/RSS feed and get instant notifications when we publish new articles about SSL Certificates, security updates, and news. Use your favorite RSS reader or news aggregator.

Subscribe via RSS/Atom