What is a Subject Alternative Name (SAN)?

Subject Alternative Name (SAN) Certificates: A Comprehensive Guide

Subject Alternative Name (SAN) certificates are powerful tools for organizations that need to secure multiple domains or subdomains efficiently. This guide explains what SAN certificates are, how they work, their advantages, limitations, and best practices for implementation. Understanding SAN certificates is essential for efficient, scalable website protection and can significantly simplify your digital security strategy.

Understanding Subject Alternative Names

What is a SAN Certificate?

A Subject Alternative Name (SAN) is an extension within a digital certificate that allows a single certificate to secure multiple domain names, subdomains, or IP addresses. It essentially tells a web browser, “This certificate is valid for more than just one website.” Instead of needing individual certificates for each domain, a SAN certificate covers multiple sites, simplifying management and improving security.

Background: SSL/TLS and Certificate Validation

To understand SAN certificates, it’s helpful to review the basics of TLS (Transport Layer Security) – the successor to SSL (Secure Sockets Layer). Although technically different, the term “SSL” is often used interchangeably. TLS certificates secure communication between a user’s web browser and a website, encrypting sensitive information like passwords, credit card numbers, and personal data, preventing interception by malicious actors.

When you visit a website, your browser verifies the website’s TLS certificate. A valid certificate indicates a secure connection, and that data you enter will be encrypted. The SAN information can be found within the certificate details, usually accessed by clicking the padlock icon in the address bar of your web browser.

Common Name vs. Subject Alternative Name

• Common Name: Traditionally, the primary domain name listed in a certificate.
• Subject Alternative Name (SAN): A modern TLS certificate (especially multi-domain or wildcard certificates) uses SAN to list multiple additional domains or subdomains.

Think of the Common Name as the primary address, and SANs as additional authorized addresses associated with the same property. SANs allow organizations to add multiple domains (“addresses”) to a single certificate, reducing administrative overhead.

SAN Certificates: Use Cases and Benefits

Organizations use SAN certificates to manage numerous websites or services under different domains or subdomains while enjoying the simplicity and cost savings of a single certificate.

Common Scenarios:

• Multi-Domain Websites: Securing multiple websites (e.g., different brands or regional sites) with one SAN certificate.
• Unified Communications: Applications like Microsoft Exchange and Skype for Business securing multiple services within a single platform.
• Subdomain Management: Simplifying security for businesses using multiple subdomains (e.g., mail.example.com, shop.example.com) without managing individual certificates.

Key Benefits:

• Cost-Efficiency: Securing multiple domains with a single certificate is more cost-effective than purchasing individual certificates.
• Simplified Management: Managing one certificate instead of many reduces complexity in renewals and configuration.
• Scalability: SAN certificates are ideal for organizations with evolving digital infrastructure. They support a variety of domain names, subdomains, and IP addresses, allowing businesses to stay secure as their TLS needs grow.
• Flexibility to Change Names: IT administrators can efficiently manage ad-hoc changes by reissuing or replacing a SAN certificate anytime to add or remove secured names.
• Supporting Multiple IPs and Private Keys: SAN certificates support hosting environments with diverse IP addresses across multiple servers.

How SAN Certificates Work

SAN certificates work by listing multiple domain names or IP addresses in the SAN field of a TLS certificate. When a user accesses a domain listed in the SAN field, the browser recognizes the connection as secure and allows data to flow over an encrypted channel.

Example:

A visitor navigates from example.com to a subdomain like shop.example.com. With a SAN certificate, both domains share a single certificate, allowing the user to navigate securely across the entire website without security warnings. Without SAN, the subdomain would require its own certificate.

Limitations of SAN Certificates:

• Limited Number of Domains: Most SAN certificates support a limited number of domains, typically up to 250, depending on the certificate provider.
• Single Point of Failure Risk: If a SAN certificate is compromised, all domains covered by it are affected.
• Not Suitable for All Scenarios: SAN certificates may not be ideal for use cases that require complete isolation between domains.

Obtaining and Implementing a SAN Certificate

1. Identify Domains: Determine the domains and subdomains you need to secure.
2. Choose a Certificate Authority (CA): Select a CA that offers SAN certificates (e.g., Entrust).
3. Submit a Certificate Signing Request (CSR): Include the primary domain (Common Name) and all additional SANs in the CSR.
4. Domain Verification: The CA verifies your ownership of all the listed domains.
5. Certificate Issuance: The CA issues the SAN certificate after successful validation.
6. Implement the Certificate: Install the certificate on your web servers, ensuring it covers all SAN entries.
7. Regular Renewal: Renew the certificate before expiration to maintain continuous security.

Secure Communication with Entrust

Entrust offers a wide range of digital certificate solutions to help organizations secure their online presence efficiently and reliably. Whether you need SAN certificates for multi-domain management or other advanced certificate options, Entrust provides industry-leading products and dedicated support to meet your unique security needs.