Subject Alternative Names: Compatibility

When browsers connect to your server using https, they check to make sure your SSL certificate matches the host name in the address bar.

There are three ways for browsers to find a match:

1. The host name (in the address bar) exactly matches the Common Name
   in the certificate's Subject.
2. The host name matches a wildcard common name. For example, www.example.com matches the common name *.example.com.
3. The host name is listed in the Subject Alternative Name field.

The most common form of SSL name matching is for the SSL client to compare the server name it connected to with the common name in the server's certificate. It's a safe bet that all SSL clients will support exact common name matching.

If an SSL certificate has a Subject Alternative Name (SAN) field, then SSL clients are supposed to ignore the common name value and seek a match in the SAN list. This is why DigiCert always repeats the common name as the first SAN in our certificates.

Which SSL clients support Subject Alternative Names?

Most mobile devices support Subject Alternative Names, and most support Wildcard certificates, but all of them support exact Common Name matching.

Because not all mobile devices support the Subject Alternative Name field, it's safest to set your common name to the name that most mobile devices will be using.

Related:

• Learn more about Unified Communications Certificates
• The Subject Alternative Name field explained
• Exchange 2007: New-ExchangeCertificate CSR Wizard