Multi-domain certificate
Another name for a SAN certificate. A single cert valid for multiple hostnames listed in the Subject Alternative Name field.
A multi-domain certificate is the same thing as a SAN certificate. Different name, same technology. Marketing teams at commercial CAs introduced "multi-domain" because "SAN" was too technical for sales pages.
Naming map
| Used by | Term |
|---|---|
| RFC 5280 (the actual standard) | "Subject Alternative Name" |
| Most engineers | SAN cert |
| Commercial CA marketing | Multi-domain SSL |
| Microsoft / older docs | UCC (Unified Communications Certificate) |
If a sales page is offering "multi-domain SSL," they're offering a SAN cert.
When to choose multi-domain over wildcard
Multi-domain (SAN) lists specific hostnames. Wildcard covers all subdomains of a base.
- Pick multi-domain when the hostnames don't share a common base, or you want explicit control over which subdomains are covered.
- Pick wildcard when you have many subdomains of one base and they all need the same cert.
For SaaS serving custom domains (each customer brings their own root), multi-domain is the only option since wildcards can't span multiple base domains.
Limits
- Let's Encrypt: up to 100 names per cert.
- Most commercial CAs: up to 100–250 names.
- Browsers: no hard limit, but very large certs (250+ names, 100KB+) slow handshakes slightly.
The practical pattern
For multi-tenant SaaS, the typical setup is "rolling SAN certs": ~25–50 customer hostnames per cert, with a new cert issued whenever an existing one is full, and old certs renewed independently. Each cert renews on its own 90-day cycle.