Everything you need to know about SAN certificates
A SAN certificate (Subject Alternative Name certificate), is a type of SSL certificate that allows multiple domain names to be secured with a single certificate. This is particularly beneficial for organizations that manage several websites or services across different domains and subdomains. Read our guide on SAN certificates to find out how SAN certificates work, why they are important, and how you can get yours.
Introduction to SSL certificates
SSL certificates are digital certificates that provide a secure and encrypted connection between a web server and a user's web browser. They are essential to ensure the confidentiality, integrity, and authenticity of data transmitted between the user and the server. If you are a website owner, a valid SSL certificate is vital to protect your customer’s data. Many browsers no longer even load websites that do not have a valid SSL certificate, which makes it almost impossible for users to visit your website.
SSL certificates use encryption algorithms that “scramble” the data that users enter into your website, which makes it impossible for third parties to intercept it. When SSL is correctly implemented, the URL of a website changes to "https://" to indicate a secure connection.
To learn more about how SSL certificates work and what other subtypes there are, take a look at this guide.
What are SAN certificates?
Usually, SSL certificates protect only a single domain. A SAN (Subject Alternative Name) certificate is a type of SSL certificate that allows multiple domain names to be protected with a single certificate. It's especially useful for securing websites that operate under multiple names or have various subdomains.
The SAN certificate specifies a list of associated domain names or IP addresses in the "Subject Alternative Name" field of the certificate. When a connection is initiated, the SSL protocol checks if the domain name being requested matches one of the domain names listed in the SAN field. If there's a match, the connection proceeds securely; if not, the browser may show a warning to the end user.
SAN certificates are particularly suitable for websites that use virtualization or cloud services, which often involve numerous dynamic subdomains. By reducing the need for multiple certificates, SAN certificates help simplify certificate management in these cases and cut down on administrative overhead and cost. Simplified certificate management also strongly reduces the likelihood of human error when it comes to updating and maintaining certificates, which could lead to security breaches.
How do you get a SAN certificate?
Choosing a Certificate Authority
If you want to get a SAN certificate, selecting the right Certificate Authority (CA) is an important step. A CA is a trusted entity that issues digital certificates, and the credibility of your SAN certificate hinges on the reputation of the CA you choose. When choosing a CA, it's important to look for one that is widely recognized and trusted by browsers and devices, such as Sectigo.
A trustworthy CA should have a strong reputation for security and reliability, ensuring that the certificates it issues are widely recognized and respected. Choosing a CA that undergoes regular and thorough audits, and adhering to industry standards such as those set by the CA/Browser Forum is essential. Moreover, check for customer reviews on places like Trustpilot to make sure you choose a CA with robust customer support, which is invaluable in case you encounter issues with your certificate.
Where to buy a SAN certificate
When you're ready to buy a SAN certificate, there are several sources you can turn to. The most common are directly from Certificate Authorities or through third-party resellers, such as a domain registrar or hosting provider. Purchasing directly from a Certificate Authority ensures that you're getting the certificate from the source, often accompanied by direct support and guidance. This can be reassuring, especially if you value having a direct line to your certificate provider.
Resellers, on the other hand, can offer competitive pricing and might provide additional services such as simplified management tools for multiple certificates, or lower prices for certificates bought in bulk. They often have customer service teams that can assist with the selection and installation process.
Regardless of where you purchase your certificate, make sure that the provider offers a secure and straightforward buying process. Look for clear pricing, a range of payment options, and easy access to support. It's crucial to use a trusted platform to prevent any security issues right from the start of your purchase.
How to buy a SAN certificate
The buying process for SAN certificates can be slightly different, based on whether you are buying yours directly with a CA or through a reseller. If you are buying the certificate directly with the CA, you'll need to generate a Certificate Signing Request (CSR) on your server, which includes your domain name and company details. This request is a key part of the SSL certificate application process. However, when you buy a SAN certificate with a reseller, such as a domain registrar or hosting company, the reseller will take care of this process, and you will not have to generate a CSR yourself.
Once you have your CSR (if needed), you can choose the type of SAN certificate that best suits your needs. There are three validation levels: Domain Validation (DV), Organization Validation (OV), or Extended Validation (EV), with DV offering the lowest and EV offering the highest level of protection. You can learn more about these levels of validation in this guide on SSL.
After selecting your certificate type, you can place your order. You will then go through the validation process, which varies depending on the level of certificate you've chosen. After successful validation, the CA will issue your SAN certificate, which you can then install on your server to secure your main domain and any associated subdomains.
If you want to buy your own SAN certificate for the lowest price, you can do so in a few clicks through the Openprovider control panel.
Installation and management
How to install your SAN certificate
Installing your SAN certificate involves several steps. After receiving your certificate from the CA, you'll need to install it on your web server. The installation process can vary depending on your server software, so it's important to follow the specific guidelines provided by your hosting provider or the Certificate Authority.
Typically, you will need to access your server's control panel or command line interface. From there, you'll input the certificate files that you received from the CA—the primary certificate, the private key generated with your CSR, and any intermediate certificates.
Once the files are uploaded and configured, you should then check that your server is set up to serve HTTPS requests by default and that any HTTP traffic is redirected to HTTPS, ensuring secure connections for all users. After installation, verify the certificate's functionality using an SSL checker tool to ensure it's working correctly across all subdomains. If you encounter issues, consult your provider's support resources.
Tips for effective certificate management
Buying and installing a SAN certificate does not mean your website is protected forever. These four tips for effective certificate management can help prevent unexpected security issues.
Be proactive in monitoring the expiry date of your certificate. Allowing it to lapse can result in your website being flagged as insecure, which can deter visitors. We recommend setting up reminders to renew your certificate well in advance of its expiration date.
Keep your private keys secure. If they are compromised, the security of your certificate is at risk. Store them in a secure location and limit access to them.
Regularly review and update your list of included domains to ensure every domain that requires protection is covered by your SAN certificate. If you add new (sub)domains to your website infrastructure, remember that they may not be included automatically in the SAN field.
Stay informed about the latest security practices and updates from your Certificate Authority. This will help you respond quickly to any vulnerabilities or changes in industry standards.
Renewal and troubleshooting
The renewal process: what you need to know
The renewal process for a SAN certificate is something you need to handle well before the certificate expires. Typically, your hosting provider or Certificate Authority will send you reminders as the expiration date approaches. It's advisable to start the renewal process at least one month in advance to avoid any lapse in your website's encryption.
Renewing your SAN certificate usually involves generating a new CSR and purchasing a renewal from your CA. You might be able to use the same CSR you used for the original certificate, but some CAs recommend generating a new one for security reasons.
Once your renewal has been processed and you have received your new certificate, you will need to install it on your server, just as you did the first time. After installation, make sure to verify that it is functioning correctly.
Keep records of your renewal dates and the steps you've taken, as this will streamline future renewals. Staying on top of renewal ensures continuous protection and trust for your website's visitors.
Troubleshooting common SSL issues
When implementing SAN certificates, you may run into several common errors. The most frequent problem with SAN certificates is incorrect or missing entries in the SAN field. This might mean that a critical domain or subdomain is not covered by the certificate, leading to security warnings in browsers. To avoid this issue, be careful to review the list of domains and subdomains that need to be secured before issuing the certificate. If any domains are missing or incorrect, you will need to reissue the certificate with the correct SAN entries.
This issue can also occur during the renewal of a SAN certificate when there is particular a risk of domains being omitted or failing to add new ones that are now required. Be sure to maintain a current list of all domains and regularly update it as your infrastructure changes. Use this list when renewing the certificate to ensure all necessary domains are included.
Having a large number of SAN entries in a single certificate can sometimes also impact the server’s performance, due to the processing overhead associated with managing multiple domains. Ensure that you do not overload a certificate with an excessively large number of SAN entries, and balance the load across several certificates if needed.
If you continue to experience issues after these checks, consult your certificate provider's Knowledge Base or contact their support team. They should be able to provide guidance specific to your situation.