What is a Multi-Domain (SAN) certificate?
When ordering or issuing a new TLS/SSL certificate, there is a Subject Alternative Name field that lets you specify additional host names (ie. sites, IP addresses, common names, etc.) to be protected by a single TLS/SSL certificate, such as a Multi-Domain (SAN) or Extend Validation Multi-Domain certificate.
The Subject Alternative Name extension was a part of the X509 certificate standard before 1999, but it wasn't until the launch of Microsoft Exchange Server 2007 that it was commonly used. This change was helpful by simplifying server configurations. Now, Subject Alternative Names are widely used for environments or platforms that need to secure multiple website names across different domains and subdomains.
What are Subject Alternative Names (SANs) used for?
There are three main ways Subject Alternative Names (SANs) are used:
- Secure host names on different base domains from a single TLS/SSL certificate: A Wildcard certificate can protect all first-level subdomains on an entire domain, such as *.example.com. However, a Wildcard Certificate cannot protect both www.example.com and www.example.net.
- Virtual host multiple TLS/SSL sites on a single IP address: Hosting multiple TLS/SSL-enabled sites on a single server typically requires a unique IP address per site, but a Multi-Domain (SAN) Certificate with Subject Alternative Names can solve this problem. Microsoft IIS and Apache are both able to Virtual Host HTTPS sites using Multi-Domain (SAN) Certificates.
- Greatly simplify your server's TLS/SSL Configuration: Using a Multi-Domain (SAN) Certificate saves you the hassle and time involved in configuring multiple IP addresses on your server, binding each IP address to a different certificate, and trying to piece it all together.
Where do you see Subject Alternative Names in action?
To see an example of Subject Alternative Names, in the address bar for this page, click the padlock in your browser to examine our TLS/SSL certificate. In the certificate details, you will find a Subject Alternative Name extension that lists both www.digicert.com and digicert.com plus some additional SANs secured by our certificate. Because the name digicert.com is listed in our certificate, your browser will not issue a warning if you visit our site at https://digicert.com without seeing 'www' in the name.
How do browsers use the Subject Alternative Name field in your TLS/SSL certificate?
When browsers connect to your server using HTTPS, they check to make sure your TLS/SSL certificate matches the host name in the address bar.
There are three ways for browsers to find a match:
- The host name (in the address bar) exactly matches the Common Name in the certificate's Subject.
- The host name matches a Wildcard Common Name. For example, www.example.com matches the common name *.example.com.
- The host name is listed in the Subject Alternative Name field.
The most common form of TLS/SSL name matching is for the TLS/SSL client to compare the server’s name it connected to, with the Common Name in the server's certificate. It's a safe bet that all TLS clients will support exact common name matching.
If a TLS certificate has a Subject Alternative Name (SAN) field, then TLS clients are supposed to ignore the Common Name value and seek a match in the SAN list. This is why DigiCert always repeats the common name as the first SAN in our certificates.
Which TLS/SSL clients support Subject Alternative Names?
Most mobile devices support Subject Alternative Names and most support Wildcard Certificates, but all of them support exact Common Name matching.
Internet Explorer, Firefox, Opera, Safari, and Netscape: All have supported Subject Alternative Names since 2003. Internet Explorer has actually supported them since Windows 98.
Micrsoft Edge: Microsoft's newest browser supports Subject Alternative Names.
Windows Phone: Supports Subject Alternative Names and Wildcard matching.
Newer Palm Treo: These devices use WM5, but the older ones run PalmOS and use VersaMail for ActiveSync. The older Treos do not support Subject Alternative Name matching.
Newer Smart Phones Running Symbian OS: Symbian OS supports Subject Alternate Names from version 9.2 and later.
Older Smart Phones Running Symbian OS: Symbian OS 9.1 and earlier do not support Subject Alternative Name matching. This seems to be resolved in Symbian OS 9.2 (S60 3rd Edition, Feature Pack 1).
Older Palm Treo: These devices run PalmOS and use VersaMail for ActiveSync. These older Treos do not support Subject Alternative Name matching.
Because not all mobile devices support the Subject Alternative Name field, it's safest to set your common name to the name that most mobile devices will be using.