Browser support for Subject Alternative Names

How browsers use the Subject Alternative Name field in your SSL certificate.

When browsers connect to your server using https, they check to make sure your SSL certificate matches the host name in the address bar.

There are three ways for browsers to find a match:

  1. The host name (in the address bar) exactly matches the Common Name in the certificate's Subject.
  2. The host name matches a wildcard common name. For example, www.example.com matches the common name *.example.com.
  3. The host name is listed in the Subject Alternative Name field.

The most common form of SSL name matching is for the SSL client to compare the server name it connected to with the common name in the server's certificate. It's a safe bet that all SSL clients will support exact common name matching.

If an SSL certificate has a Subject Alternative Name (SAN) field, then SSL clients are supposed to ignore the common name value and seek a match in the SAN list. This is why DigiCert always repeats the common name as the first SAN in our certificates.

Which SSL clients support Subject Alternative Names?

Most mobile devices support Subject Alternative Names, and most support Wildcard certificates, but all of them support exact Common Name matching.

Internet Explorer, Firefox, Opera, Safari, and Netscape have all supported Subject Alternative Names since 2003. Internet Explorer has actually supported them since Windows 98.

Windows Mobile 5 supports Subject Alternative Names, but it does not support wildcard matching (*.example.com). However, DigiCert wildcard certificates allow you to include SANs in your certificate as a workaround.

Windows Mobile 6 supports Subject Alternative Names and wildcard matching.

Newer Palm Treo devices use WM5, but the older ones run PalmOS and use VersaMail for ActiveSync. The older Treos do not support SAN name matching.

Newer smart phones running Symbian OS Symbian OS supports Subject Alternate Names from version 9.2 and later.

Older smart phones running Symbian OS (Symbian OS 9.1 and earlier) do not support Subject Alternative Name matching. This seems to be resolved in Symbian OS 9.2 (S60 3rd Edition, Feature Pack 1).

Older Palm Treo devices run PalmOS and use VersaMail for ActiveSync. These older Treos do not support SAN name matching.

Because not all mobile devices support the Subject Alternative Name field, it's safest to set your common name to the name that most mobile devices will be using.

Related: