Q: What is a Subject Alternative Name certificate and how is it different from a wildcard certificate?

A: A Subject Alternative Name (SAN) certificate is a certificate that leverages the SAN X.509 certificate extension and that allows you to secure multiple domains with a single certificate. This ability reduces the cost of deploying certificates and greatly simplifies certificate management in environments where you need SSL certificates to secure access to different server and domain names that are all part of the same service or infrastructure.

For example, a Microsoft Exchange Server messaging infrastructure typically requires SSL certificates to secure access to the Outlook Web Access (OWA), Outlook Anywhere (OA), and autodiscover service URLs and domain names. Instead of installing different SSL certificates to secure the access to, for example, the webmail.mycompany.net, autodiscover.mycompany.net, and mailserver.mycompany.net domain names, you can call on a single SAN certificate that has these three names embedded in its X.509 SAN field.

This example shows how SAN certificates let you specify a list of different server or service identifiers and protect them using a single certificate. You can use SAN certificates to protect different top-level DNS domain names, websites, IP addresses, internal server names, and more. The SAN extension also lets you embed more information about the subject than just its distinguished name (DN) in a certificate. You can, for example, add its Internet email address, Internet domain name, IP address, X.400 email address, URL, and so forth.

You can purchase SAN certificates from commercial Certification Authorities (CAs) such as VeriSign, GeoTrust or GlobalSign, or you can let your internal Windows CA generate your SAN certificates. SAN certificates are more flexible than wildcard certificates. A wildcard certificate leverages the Subject field of an X.509 certificate to embed wildcard names in the certificate. For example, using the wildcard *.mydomain.com in the Subject field of a certificate allows you to use this certificate to secure the sales.mydomain.com domain, but also the marketing.mydomain.com, and so forth.

An important limitation of wildcard certificates is that the subjects must share the same domain name and the same number of domain levels. This restriction isn't the case with SAN certificates. With a single SAN certificate, you can secure the domain sales.com as well as the marketing.net domain.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.