Subject Alternative Name (SAN) is an important extension in modern X.509 certificates (the standard format for SSL/TLS certificates).
It allows a single certificate to secure multiple domain names, subdomains, IP addresses, or even other types of identifiers — instead of needing a separate certificate for each one.
Quick History & Why It Exists
Originally (in very old certificates):
- Only one name was allowed → stored in the Common Name (CN) field of the certificate subject
- Example: CN = www.example.com
This created many problems:
- What about example.com (without www)?
- What about mail.example.com, shop.example.com, blog.example.com?
- What about completely different domains like company.net?
Solution → Subject Alternative Name extension (introduced in X.509 v3)
Modern rule (since ~2011–2017, enforced by browsers):
Browsers ignore the Common Name (CN) if SAN entries exist They only look at the names listed in the subjectAltName field
What can you put in SAN? (most common types)
| Type | Example | Purpose |
|---|---|---|
| DNS name | www.example.com | Most common — normal domain names |
| DNS name | example.com | Usually added together with www version |
| DNS name | *.example.com | Wildcard (one level only) |
| DNS name | api.internal.company | Internal domains (in private PKI) |
| IP address | 192.168.1.10 or 10.0.0.55 | Rare nowadays, mostly legacy/internal use |
| Other (less common) | email:admin@company.com | Client certificates, S/MIME |
Real-world Examples of SAN Usage
Typical modern website certificate
Common Name (CN): example.com (mostly decorative nowadays)
Subject Alternative Names:
- www.example.com
- example.com
- shop.example.com
- blog.example.com
- api.example.comMulti-brand / multi-company certificate (very common in enterprises)
SANs:
- company.com
- www.company.com
- portal.company.com
- partnercompany.net
- login.partnercompany.net
- myapp.ioBenefits of SAN certificates
- One certificate → fewer renewals to track
- Much easier server configuration (especially with name-based virtual hosting)
- Works perfectly with modern load balancers / CDNs
- Cheaper than buying 5–10 separate single-domain certificates
- Solves the famous www vs non-www mismatch problem
In short (2025–2026 reality):
When someone talks about a SAN certificate or Multi-Domain certificate (also called UCC in the past), they almost always mean:
→ One TLS/SSL certificate that protects multiple domain names through the Subject Alternative Name extension.
And remember the golden modern rule:
If SAN exists → browsers only care about SAN (They don't even look at Common Name anymore)