SAN certificate
A TLS certificate that covers multiple hostnames in one file via the Subject Alternative Name extension. The standard way to cover several names per cert.
A SAN certificate (Subject Alternative Name) is a single TLS certificate that lists multiple hostnames it's valid for. The hostnames go in the cert's SAN extension (X.509 extension 2.5.29.17).
Every modern cert is technically a SAN cert; the Common Name field is essentially deprecated and the SAN list is what browsers actually check.
Subject: CN=example.com
SAN:
DNS:example.com
DNS:www.example.com
DNS:shop.example.com
DNS:blog.example.com
Why SAN matters at scale
Each TLS certificate is its own object that has to be:
- Renewed before expiry.
- Distributed to every edge node.
- Loaded into the server's cert store.
- Looked up at handshake time via SNI.
A SAN cert with 50 hostnames is one of those things instead of fifty. For multi-tenant SaaS serving 1000 customer hostnames, the choice is:
- 1000 single-name certs. Cleanly per-customer; renewal can be independent.
- 20 SAN certs of 50 names each. Fewer renewal events, fewer cert distribution events. But a single SAN cert renewal failure affects 50 customers.
Let's Encrypt supports up to 100 names per SAN cert. The typical SaaS pattern uses SAN certs of 25–50 names for batching efficiency without huge blast radius.
SAN vs Wildcard
| SAN | Wildcard | |
|---|---|---|
| Covers | Specific hostnames | All subdomains of one base |
| Renewal | One cert per group | One cert per base |
| Use case | Many unrelated hostnames | Many subdomains of YOUR domain |
For customer-owned hostnames in SaaS (acme.com, shop.com), wildcards don't help because the customers are on different base domains. SAN is the natural fit.