Understanding SAN Certificates : Benefits & How They Work
Zane LucasShare
Every SSL Certificate has to state which website names it protects. The earliest SSL Certificates carried a single name in a field called the Common Name (CN), which limited each Certificate to one address.
Modern SSL Certificates use the Subject Alternative Name (SAN) field instead. That one change is what lets a single SSL Certificate secure many names at once.
The Subject Alternative Name (SAN) field is a list of names held inside the SSL Certificate. A browser will accept the SSL Certificate for any name on that list. This is the mechanism behind both Multi-Domain SSL Certificates and Wildcard SSL Certificates, and understanding it makes the difference between the two much clearer.
Trustico® offers Multi-Domain SSL Certificates that use the Subject Alternative Name (SAN) field to cover several names on one SSL Certificate. Explore Trustico® Multi-Domain SSL Certificates 🔗
The Subject Alternative Name (SAN) Field Explained
The Subject Alternative Name (SAN) field is an extension within the SSL Certificate that holds one or more names. Each name is a separate entry, and the SSL Certificate is valid for every entry it contains. One SSL Certificate might list example.com, www.example.com, and shop.example.com together.
The names are written into the SSL Certificate when it is issued, so the list is fixed for the life of that Certificate. Adding a name later means obtaining a reissue that includes the new entry, rather than editing the existing SSL Certificate.
The Common Name (CN), where it is still present, simply repeats one of the names already held in the Subject Alternative Name (SAN) field.
Browser Name Matching
When a browser connects to a site, it reads the SSL Certificate and looks for the requested name in the Subject Alternative Name (SAN) field. If the name is listed and the SSL Certificate is otherwise valid, the browser trusts it and opens an encrypted connection.
If the name is absent, the browser shows a name mismatch warning even when the SSL Certificate itself is genuine.
The browser also confirms that the SSL Certificate was issued by a trusted Certificate Authority (CA) and has not expired or been revoked. Trustico® provides SSL Certificates issued by the Certificate Authority (CA), so the names in the Subject Alternative Name (SAN) field are recognized by browsers everywhere. Learn About Name Mismatch Errors 🔗
Multi-Domain and Wildcard SSL Certificates
Two product types are built on the Subject Alternative Name (SAN) field, and they fill the list in different ways. A Multi-Domain SSL Certificate lists each name explicitly, which suits separate domains such as example.com, example.net, and example.org.
A Wildcard SSL Certificate places a single asterisk entry, such as *.example.com, in the Subject Alternative Name (SAN) field, which then matches every first-level subdomain of one domain. Many SSL Certificates combine both styles, listing several domains while using a wildcard entry for one of them. Learn About Wildcard SSL Certificates 🔗
Benefits of a Multi-Domain SSL Certificate
The practical appeal is consolidation. One Multi-Domain SSL Certificate replaces a stack of single-name Certificates, so there is one purchase, one validity period, and one installation to manage rather than many. The cost per name usually falls as more names are added.
Fewer SSL Certificates also means fewer chances to miss an expiry. A single SSL Certificate with every name on it is easier to track than a spread of separate Certificates expiring on different dates, which lowers the risk of a lapse taking a site offline.
Choosing a Multi-Domain SSL Certificate
Two choices matter most. The first is how many names you need to cover, because each product allows a different number of entries in the Subject Alternative Name (SAN) field, and extra names are usually added in blocks. Count the domains and subdomains you need before ordering.
The second is the validation level. Domain Validation (DV) confirms control of each name and issues quickly, Organization Validation (OV) adds a check of the business, and Extended Validation (EV) applies the strictest identity checks. Learn About Extended Validation (EV) SSL Certificates 🔗
Obtaining a Multi-Domain SSL Certificate From Trustico®
Ordering follows the same path as any SSL Certificate. Generate one Certificate Signing Request (CSR) for the primary name, list the additional names during the order, and complete Domain Control Validation (DCV) for each name before the Certificate Authority (CA) issues the SSL Certificate.
Trustico® provides Multi-Domain SSL Certificates across the Domain Validation (DV), Organization Validation (OV), and Extended Validation (EV) levels, with the SSL Certificate issued by the Certificate Authority (CA). Compare the range from the Trustico® Multi-Domain SSL Certificate Range 🔗
