What can Subject Alternative Names do?
Hosting multiple SSL-enabled sites on a single server typically requires a unique IP address per site, but a certificate with Subject Alternative Names can solve this problem. Microsoft IIS 6, 7 and Apache are both able to Virtual Host HTTPS sites using Unified Communications SSL certificate, also known as SAN certificates.
- Can Contain Different FQDN (Fully Qualified Domains Names) or same top level domains with different hosts.
- Can have up to 1 Main Domain and 4 additional Domains within the certificate.
- Example 1: host1.domain.com and host2.domain.com
- Example 2: www.domain.com and www.abc.com.
- Can be deployed across multiple servers when purchasing licenses. • Instances where there is a need to secure multiple domains that resolve to a single IP address (such as in a shared hosting environment).
Using a SAN certificate saves the hassle and time involved in configuring multiple IP addresses on Exchange 2007 server.
How browsers use the Subject Alternative Name field in SSL certificate?
When browsers connect to server using https, they check to make sure SSL certificate matches the domain name in the address bar.
There are three ways for browsers to find a match:
- The domain name (in the address bar) exactly matches the Common Name in the certificate’s Subject.
- The domain name matches a wildcard common name. For example, www.example.com matches the common name *.example.com.
- The Domain name is listed in the Subject Alternative Name field.
Comparing the Server Name it connects to, with the Common Name in the Server certificate, is a common way browses match the domain name typed in the address bar.
It is safe to assume that all SSL clients support exact common name matching.
If an SSL certificate has a Subject Alternative Name (SAN) field, then SSL clients are supposed to ignore the common name value andseek a match in the SAN list.
The SAN attribute is available with all Verisign certificates