How Multi-Domain (SAN) SSL Works

These certificates use the "Subject Alternative Name" field to list all the different domain names and subdomains that will be secured. You can include a mix of:

  • Fully qualified domain names (e.g., `www.example.com`, `www.example.org`).
  • Base domains (e.g., `example.com`, `example.net`).
  • Subdomains (e.g., `mail.example.com`, `shop.example.com`).

Most CAs include 2-5 domain names in the base price, with options to add more up to a limit (often 100 or 250 domains per certificate).

💡
Flexibility: SAN certificates are highly flexible, allowing you to add or change SANs during the certificate's validity period (though this may incur a fee or require reissuance).

Available Validation Types

Multi-Domain SSL certificates are available in the following validation levels:

  • DV (Domain Validated): Fast and affordable, verifies only domain ownership.
  • OV (Organization Validated): Offers higher trust by verifying the organization's identity in addition to domain control.
  • EV (Extended Validation): Available for some high-assurance SAN certificates, providing the maximum level of trust.

Best Use Cases

Multi-Domain SSL is ideal for:

  • Managing Multiple Websites: Securing personal websites, business sites, and e-commerce stores under one certificate.
  • Microsoft Exchange & Office 365: Commonly used to secure services like Autodiscover for Outlook, OWA, and other Microsoft communication platforms.
  • Consolidating Security: Simplifying certificate management for a diverse set of domains.
  • Securing Different Brands: Protecting multiple company or brand domains.

Benefits

  • Cost Efficiency: Generally more economical than purchasing individual certificates for each domain/subdomain.
  • Simplified Management: One certificate to install, track, and renew.
  • Flexibility: Can secure a mix of domains and subdomains, including wildcard subdomains (if the certificate type supports it).

Limitations

  • Domain Visibility: All secured domains are listed in the certificate's Subject Alternative Name field and can be viewed by anyone.
  • Single Point of Failure: If the certificate expires or is compromised, all secured domains are affected.
  • Wildcard Complexity: Standard SANs don't cover wildcards for *all* domains within the SAN list; a specific Wildcard SAN entry is needed for each domain that requires wildcard coverage (e.g., `*.example.com`, `*.example.org`).