What are Subject Alternative Name Certificates?

Introduction:

SSL certificates are an effective way of securing domain names and IPs. The importance of SSL certificates can not be undermined in ensuring security in any organization. But what if any organization has a huge number of domains? The process of procuring separate certificates for each domain can be time- consuming as well as expensive. Thankfully, we have multi-domain certificates to take care of this problem. Multi-domain certificates can be broadly divided into two types — Wildcard certificates and Subject Alternative Name (SAN) certificates. Wild card certificates can be used to secure multiple subdomains of a single domain.Even then, what happens if all the domains that are to be secured are different? This is where Subject Alternative Name certificates are used.

What are SAN certificates?

Subject Alternative Name (SAN) is a way of identifying all the domains and IPs which are to be secured by an SSL certificate. Subject Alternative Name certificates are those certificates that use SAN to secure multiple domains and IPs. SAN certificates are also known as Unified Communications Certificates (UCC). SAN certificates can support multiple types of SANs — unified communication (mail servers), IPs, subdomains, global domains. The number of SANs that can be attached to a SAN certificate depends on the certificate authority (CA). For example, GlobalSign allows upto 200 SAN names, whereas GeoTrust allows up to 100.

Fig 1 : Multiple types of SAN names

Fig 2: Two DNS names configured in same certificate using SAN

Advantages of using SAN certificates:

• Easy to manage
• Time Saving
• Cost Effective
• Highly Flexible

Limitations:

While we can all agree that SAN certificates make the life of an application service provider easier, they do have some limitations. Firstly, SAN certificates are inherently SSL certificates. So, like all certificates, the names of the services are embedded in the certificate. If we change the service name, we need to change the certificate as well. Secondly, all domain names are visible in SAN certificates regardless of which site it is bound to.