Skip to main content

What is a Subject Alternative Name (SAN)?

Dec

18

2024

Time to read

Read so far

Written by: 

Agnieszka Dyba

Time to read

Written by: 

What is a SAN_1000x420

Subject Alternative Name certificates are powerful tools that streamline security for organizations managing multiple domains or subdomains. This guide explores what SAN certificates are, how they work, their advantages, and best practices for implementation. By the end, you'll understand why SAN certificates are essential for efficient, scalable website protection and how they can simplify your digital security strategy.

Understanding Subject Alternative Names

What is SAN?

A Subject Alternative Name, or SAN, is an extension used in digital certificates that allows a single certificate to secure multiple domain names, subdomains, or IP addresses. Think of it as a way to tell your web browser, "This certificate is good for more than just one website." Instead of issuing multiple certificates for each domain, a SAN certificate can cover several of them, simplifying management and improving security.

To understand SAN, it's helpful to explain the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. TLS is the successor to the now-deprecated SSL certificate, and though they are not necessarily interchangeable due to significant differences, the term “SSL” persists in common usage. Businesses use TLS certificates to secure communications between a user's web browser and a website, ensuring that sensitive information — like passwords, credit card numbers, and personal data — is transmitted safely. That way, hackers can’t intercept it.

When you visit a website, your browser checks for a valid TLS certificate. If the certificate is valid, it means the site is secure, and the data you enter will be encrypted. The SAN information appears in the SSL/TLS certificate details, which can be viewed by clicking on the locked padlock in the address bar of most web browsers.

What’s the difference between Common Name and Subject Alternative Name?

The Common Name is traditionally the primary domain name specified in a certificate. However, a modern TLS certificate (especially a multi-domain or wildcard certificate) uses SAN to list multiple domains or subdomains.

Think of it this way: The Common Name is like a primary street address, while SANs are like additional authorized addresses associated with the same property. With SAN, an organization can add multiple “addresses” or domains to one certificate, reducing administrative overhead and simplifying certificate management across multiple sites.

SAN: Use cases and benefits

Organizations use SAN certificates when they manage numerous websites or services under different domains or subdomains but want the simplicity and cost savings of managing just one certificate. These certificates are particularly helpful under certain scenarios, such as:

  • Multi-domain websites: Organizations managing several websites (e.g., different brands or regional sites) can use one SAN certificate to secure them all.
  • Unified communications: Applications like Microsoft Exchange and Skype for Business use SAN certificates to secure various services within one platform.
  • Subdomain management: SAN certificates simplify security for businesses using multiple subdomains (e.g., mail.example.com, shop.example.com) by not requiring them to manage individual certificates.

Benefits of SAN certificates

Subject Alternative Names offer several advantages, such as:

  • Cost-efficiency: Instead of buying separate certificates for each domain, you can secure multiple domains under a single SAN certificate.
  • Simplified management: A SAN certificate is one certificate to manage instead of several, reducing complexity when it comes to renewals and configuration.
  • Scalability: SAN certificates are ideal for organizations with diverse and growing digital infrastructure needs. They support a wide variety of domain names, sub-domains, and IP addresses, allowing businesses to stay secure as their TLS needs evolve. 
  • Flexibility to change names: IT administrators must frequently add, change, or remove domains. Having the ability to reissue or replace a SAN certificate anytime to add or remove secured names provides an efficient way to manage ad-hoc changes. 
  • Supporting multiple IPs and private keys: SAN certificates support hosting environments with diverse IP addresses across multiple servers.

How do SAN certificates work?

SAN certificates operate by listing multiple domain names or IP addresses in the SAN field of a TLS certificate, allowing them to share a single certificate. When a user accesses one of these domains, their browser examines the TLS certificate, cross-checking it with the listed SAN entries. If the accessed domain matches any domain in the SAN field, the browser recognizes the connection as secure and allows data to flow over an encrypted channel.

Here’s a practical example:

  • A visitor navigates from example.com to a subdomain like shop.example.com. Without a SAN certificate, the subdomain would require its own separate certificate. But with SAN, both domains share one, meaning the user can navigate securely across the entire website without seeing security warnings or interruptions.

However, SAN certificates have certain restrictions:

  • Limited number of domains: Most SAN certificates support a limited number of domains, typically up to 250, depending on the certificate provider.
  • Single-point-of-failure risk: If a SAN certificate is compromised, it affects all the domains covered under it, meaning the security risk spreads to all listed domains.
  • Not suitable for all scenarios: SAN certificates are not ideal for use cases that require isolation between domains.

How do you obtain and implement a SAN certificate?

Acquiring and using a SAN certificate is a straightforward process:

  • Step 1: Identify the domains or subdomains you want to secure.
  • Step 2: Choose a certificate authority (CA) that offers SAN certificates, like Entrust.
  • Step 3: Submit a certificate signing request (CSR) to the CA, including the primary domain (Common Name) and the additional SANs.
  • Step 4: The CA verifies your ownership of all the domains.
  • Step 5: Once the CSR is approved, the CA issues the SAN certificate.
  • Step 6: Implement the certificate on your web servers, ensuring it covers all the SAN entries.
  • Step 7: Regularly renew the certificate before its expiration to maintain security.

Secure communication with Entrust

Entrust offers a wide range of digital certificate solutions to help organizations secure their online presence efficiently and reliably. Whether you need SAN certificates for multi-domain management or other advanced certificate options, Entrust provides industry-leading products and dedicated support to meet your unique security needs.

Explore our digital certificates

Agnieszka Dyba headshot
Agnieszka Dyba

Agnieszka Dyba is a Product Marketing Manager for Certificate Solutions at Entrust. The Certificate Solutions portfolio supports businesses as they strive to establish a higher level of public and private trust. Agnieszka is responsible for driving the product marketing strategy and communications for direct customers and partners for select public trust products within the portfolio. She has been working in the high-tech sector for 16 years, holds a master's degree in economics, and is fluent in four languages.

View all of Agnieszka's Posts
Facebook