Search... ⌘ K
Get Started Contact Sales

What is the Subject Alternative Name (SAN)?

Table of Contents

The Subject Alternative Name (SAN) is an extension to the X.509 specification that allows a single SSL certificate to protect multiple hostnames. The SAN extension is standard practice for modern SSL certificates and is gradually replacing the use of the common name field for hostname matching.

SAN certificates

A SAN certificate is a term often used to refer to a multi-domain SSL certificate. An SSL certificate with more than one name is associated using the SAN extension.

There’s a subtle difference though. When using the term ‘multi-domain certificates’, we’re generally referring to an SSL certificate that has the ability to cover multiple host names (domains). If we use the term ‘SAN certificates’, we’re probably referring to a particular certificate that includes any name in the SAN extension.

From a technical standpoint, every publicly trusted certificate issued today is effectively a SAN certificate. The CA/Browser Forum requires certificates to include a Subject Alternative Name (SAN), and any domain name present in the common name must also appear in the SAN. As a result, even certificates covering a single name rely on the SAN extension.

In practice, the terms ‘SAN certificates’ and ‘multi-domain certificates’ are synonymous, and generally indicate a certificate product where issuers can associate more than one domain by specifying the content of the SAN (directly or indirectly). These certificates are often marketed as “special” and priced differently than single-name certificates, because you can associate more than one name.

SAN restrictions

There’s no specific limitation on the host names you can cover with a SAN extension, besides the requirement to be syntactically valid host names (further details are available in the RFC). However, certificate authorities may impose further limitations on the number or formats based on internal rules or business decisions.

For example, it’s common practice to disallow arbitrary wildcard names as SAN host names. This means SAN certificates generally support only a specific list of names.

It’s also common to encounter a limit on the number of names per certificate, usually up to 100.

Finally, names are generally not required to belong to the same domain. It’s fine for a certificate to cover a list of names like this:

example.com
www.example.com
foo.bar.hello.com
another.domain.com

SAN certificates and DNSimple

DNSimple provides SAN SSL certificates issued by the Let’s Encrypt certification authority.

For current platform limitation, all the names must belong to the same domain:

example.com
www.example.com
mail.example.com
foo.bar.example.com

Background

The X.509 specifications regulate the Internet X.509 Public Key Infrastructure Certificate, which includes the SSL certificates format. Originally, SSL certificates only allowed the designation of a single host name in the certificate subject called Common Name.

The common name represents the host name that’s covered by the SSL certificate. Trying to use the certificate for a website that doesn’t match the common name will result in a security error, also known as host name mismatch error.

After the original specificaton, it became clear it would be helpful to have a single certificate to cover multiple host names. The most common example is a single certificate covering both the root domain and the www subdomain. In fact, it’s common to reuse the same SSL certificate for example.com and www.example.com.

The X.509 specification allows users to define extensions to be attached to a Certificate Signing Request (CSR) and the final server certificate. Using the SAN extension, it’s possible to specify several host names in the subjectAltName field of a certificate. Each of these names will be considered protected by the SSL certificate.

Taking action

Have more questions?

If you have additional questions or need any assistance with SANs and which hostnames a certificate can cover, just contact support, and we’ll be happy to help.