SAN Certificate: Multi-Domain

A SAN (Subject Alternative Name) certificate, also called UCC (Unified Communications Certificate), allows securing multiple completely different domains with a single certificate. Unlike wildcards that cover subdomains of the same domain, SAN can include example.com, other-site.org, and third-domain.net together.

SAN certificates are ideal for companies managing multiple brands or distinct sites, or for securing both the main domain and its variants (with and without www, .com and .fr). They offer flexibility that wildcards don't have.

This guide explores SAN certificate use cases, how to obtain them, and differences with wildcard certificates to help you choose the right solution.

SAN Certificate Benefits

Why use a multi-domain certificate:

• Distinct domains: secure example.com and totally-different.org in the same certificate. Impossible with a wildcard.
• Unified management: a single certificate to install and renew for multiple sites. Operational simplification.
• Cost savings: a SAN certificate costs less than multiple individual certificates (for paid certificates).
• Flexibility: combine domains and subdomains as needed: www.site1.com, blog.site2.org, etc.

SAN vs Wildcard

Choose the right solution for your case:

• Coverage: Wildcard = all subdomains of one domain. SAN = explicit list of domains/subdomains.
• Different domains: Wildcard = single domain. SAN = multiple completely different domains.
• Dynamic subdomains: Wildcard = ideal. SAN = you must add each subdomain manually.
• Let's Encrypt validation: SAN = HTTP-01 works. Wildcard = DNS-01 required.

Getting a SAN Certificate

Steps to create a multi-domain certificate:

1. List your domains: identify all domains and subdomains to include. Each domain requires validation.
2. Verify DNS: all domains must point to your server for HTTP-01 validation.
3. Request the certificate: with Certbot: add multiple -d for each domain you want to include.
4. Configure the server: the certificate applies to all domains. Configure your virtual hosts to use it.

Creating a SAN Certificate

Certbot command examples:

#!/bin/bash
# SAN certificate with multiple domains
certbot certonly --nginx \
    -d example.com \
    -d www.example.com \
    -d other-site.org \
    -d www.other-site.org \
    -d third-domain.net

# Check included domains
openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -noout -text | grep DNS

# Add a domain to an existing certificate
certbot certonly --nginx --cert-name example.com \
    -d example.com \
    -d www.example.com \
    -d new-domain.com

# Combine SAN and wildcard
certbot certonly --dns-cloudflare \
    --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini \
    -d "*.example.com" \
    -d example.com \
    -d other-site.org

You can add up to 100 domains in a Let's Encrypt certificate. Each domain must pass its validation.

SAN Best Practices

Optimize your multi-domain certificate:

• Plan your domains: include all variants from the start: with/without www, .com/.fr, etc.
• Group logically: one certificate per server/application rather than one giant certificate for everything.
• Document contents: keep track of domains included in each certificate to facilitate renewals.
• Monitor each domain: a single certificate, but each domain should be monitored individually.

Frequently Asked Questions

Consolidate with SAN Certificates

SAN certificates are the ideal solution for managing multiple distinct domains. They simplify administration while offering the necessary flexibility.

Monitor each domain in your SAN certificate with MoniTao. A single certificate doesn't mean single monitoring: each domain deserves its own monitor.

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing