Computer Security
Subject Alternative Name (SAN)
Computer Security
What is Subject Alternative Name (SAN)?
The Subject Alternative Name aka SAN is an extension to the X.509 specification that allows users to specify additional host names for a single SSL certificate. The use of the SAN extension is standard practice for SSL certificates, and it’s on its way to replacing the use of the common name (CN).
SAN Certificate
A SAN certificate is a term often used to refer to a multi-domain SSL certificate. An SSL certificate with more than one name is associated using the SAN extension.
When using the term ‘multi-domain certificates’, we’re generally referring to an SSL certificate that has the ability to cover multiple host names (domains). If we use the term ‘SAN certificates’, we’re probably referring to a particular certificate that includes any name in the SAN extension.
In practice, the terms ‘SAN certificates’ and ‘multi-domain certificates’ are synonymous. These certificates are often marketed as “special” and priced differently than standard certificates, because we can associate more than one hostname.
SAN restrictions
There’s no specific limitation on the host names you can cover with a SAN extension, besides the requirement to be syntactically valid host names. However, certificate authorities may impose further limitations on the number or formats based on internal rules or business decisions.
- It’s common practice to disallow arbitrary wildcard names as SAN host names. This means SAN certificates generally support only a specific list of names.
- It’s also common to encounter a limit on the number of names per certificate, usually up to 100.
Adding SAN to a digital certificate
Subject Alternative Name (SAN) is an extension to X.509. The X.509 specification allows users to specify additional host names to be protected by a single SSL certificate using subjectAltName field of a certificate. Additional hostname can be added to both Certificate Signing Request (CSR) and the final server certificate.
After generating a certificate with SAN and the clients can connect to the server using subjectAltName. Whenever HTTPS request comes to any of the virtual host, the server uses the same certificate for SSL handshake.
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS.1 = www.service1.com
DNS.2 = www.service2.comSubject Alternative Name Extension extension must contain at least one entry. Each entry must be either a DNS name containing the Fully-Qualified Domain Name or an IP address. Also, wildcard FQDNs are permitted.
Note: Certificate Authorities (CAs) shall not issue certificates with a subjectAltName extension or subject:commonName field containing a Reserved IP Address or Internal Name.
CN is Deprecated!
Placing a DNS name in the common name (CN) is deprecated by both the IETF and CA/Browser Forums. Use the CN for a friendly name like “Example LLP” since its displayed to the user.
According to the CA/Browser Baseline Requirements (BR), a DNS name in the CN must also be present in the SAN.
9.2.2 Subject Common Name Field
Certificate Field: subject:commonName (OID 2.5.4.3) Required/Optional: Deprecated (Discouraged, but not prohibited) Contents: If present, this field MUST contain a single IP address or Fully-Qualified Domain Name that is one of the values contained in the Certificate’s subjectAltName extensionInternal Name
A string of characters (not an IP address) in a Common Name or Subject Alternative Name field of a Certificate that cannot be verified as globally unique within the public DNS at the time of certificate issuance because it does not end with a Top Level Domain registered in IANA’s Root Zone Database.
