The Subject Alternative Name or SAN is a form of extension to X.509 specification permitting users to stipulate additional host names for single kind SSL certificate. Basically, the SAN extension is a form of standard pattern for SSL certificates, and it is on it’s way of substituting the employment of common name.
A subject alternative name or SAN is a structured mode to highlight all domain names as well as IP addresses that are safeguarded by the certificate. It is basically the subdomains and IP addresses that are incorporated on the short list of items considered as a SAN.
In order to understand what is a SAN (Subject Alternative Name) and it’s purpose, it is essential to understand the background of the X.509 specifications. It is useful in the SSL certificates format. In the original situation, SSL certificates only sanction the designation of single host name for the certificate subject known as Common Name.
The common name basically represents the name of the host that’s covered via the SSL certificate. The attempt to utilize the certificate for the websites that do not match with the common name results in a security error, termed as host name mismatch error.
Once original specification done, it is evident to be helpful in carrying a single certificate covering several host names. The common example can be defined by a single certificate screening the root domain as well as the www subdomain. Additionally, it is not peculiar to employ the usage of same SSL certificate for both example.com and www.example.com.
Subject Alternative Name in SAN Certificates
A Subject Alternative Name is used in SAN Certificate that is often used in order to refer to multi-domain SSL certificate. It is a fact that a SSL certificate comprising more than one name is generally associated with the application of SAN extension.
Yes, there is a key difference. While employing the term ‘multi-domain certificates’, the common reference of an SSL certificate is meant to be its competency to cover several host names i.e. domains. While using the term ‘SAN certificates’, the reference has been made to a specific certificate that incorporates all kinds of names within the SAN extension.
In terms of technical standpoint, a certificate that has been issued today is in effect a SAN certificate, in fact CA/B forum needs the certification authority to include the content of the common name into SAN as well. Despite the certificate captures a single independent name, it still going to use the SAN extension as well as integrate that single specific name.
The Purpose of SAN
In terms of practice and purpose, the words ‘SAN certificates’ as well as ‘multi-domain certificates’ are one and the same. They generally showcase a certificate product in which issuers can related more than one domain after undertaking the SAN content directly or indirectly. The SAN certificates created with this purpose are generally marketed with “special” category and the classification of price is done differently in comparison to standard certificates. It is basically due to the fact that one can associate over one name in it.
The Restrictions of SAN
There is no particular limitation over the host names that you can cover with the help of SAN extension, additionally, the obligation to be syntactically legit host names. Nevertheless, certificate authorities may enforce further restrictions on the number or rather the formats on the basis of business decisions or internal rules and regulations.
For instance, it is a genuine practice to forbid arbitrary wildcard names as the SAN host names. It simply denotes the fact that Subject Alternative Name certificates usually support just a particular list of names.
It is also usual to encounter a restriction on the total names per certificate basis, normally up to 100.
Eventually, names are broadly not required to exist in the same domain. It is fine for a certificate covering the list of names in the following way:
DNSimple and SAN Certificates:
DNSimple delivers SAN SSL certificates on the basis of the issuance by Let’s Encrypt certification authority.
In terms of present platform restriction, all the names are required to be belonging to the same domain: