What is a Subject Alternative Name Certificate?
A Subject Alternative Name (SAN) Certificate is a digital certificate that is used to secure multiple domain names, IP addresses, or hostnames within a single certificate. Also known as a Unified Communication Certificate (UCC), multi-domain certificate, or an exchange certificate, the extremely versatile SAN certificate is a valuable and versatile option for modern IT infrastructures that frequently requires many domains, subdomains, and services across a single network.
Cloud Native Security Report 2023
How do SAN certificates enhance security?
SAN certificates facilitate secure communications within complex environments, and play a vital role in securing web servers, email servers, or any network services that utilize multiple domain names or hostnames. What is the real value of consolidating these all into a single SAN certificate? It will simplify the management of cryptographic keys, plus streamline certificate issuance and renewal. Rather than managing the certificate lifecycle of dozens of certificates, SAN certificates allow you to reduce the time and resources needed to ensure all domains and hostnames are secure within just one certificate.
Understanding how SAN certificates work
It can be a little challenging to grasp the complex technical nature of what a SAN certificate is and how it can fit into your security strategy. Let’s take a look at how they compare to other certificates we already know about:
What is the difference between a SAN certificate and Domain Validated (DV) certificate?
SAN certificates and Domain Validated (DV) certificates differ in the level of assurance they provide users. SAN certificates do provide a high level of security in that they verify ownership of each domain or hostname in the SAN field of the certificate. DV certificates provide only basic validation of the ownership of the domain, but they do not confirm the legitimacy of the organization that owns the domain. These certificates are more common for personal blogs or small businesses where trust and encryption should be established, but isn’t a major priority.
What is the difference between a SAN certificate and wildcard certificate?
While they are similar in concept, the difference between a SAN certificate and a wildcard certificate is their scope and usage. Wildcard certificates only allow you to secure a domain and all its subdomains within a single certificate, but SAN certificates allow you to secure multiple domains, hostnames, or IP addresses within a single certificate.
While wildcard certificates are convenient for organizations with numerous subdomains, SAN certificates are more flexible and versatile in allowing you to consolidate a wider range of assets.
What is the difference between a SAN certificate and an Organization Validated (OV) certificate?
There difference between a SAN certificate and an Organization Validated (OV) certificate is the level of security involved in the validation process. For a SAN certificate, the validation process requires simply verifying control over each domain or hostname listed in the SAN field. OV certificates require a higher level of validation by taking the additional step of verifying the legitimacy and of the organization itself. This can include the organization’s name, phone number, address, and other details. The allows the user assurance that website they are visiting belongs to a valid organization. Essentially, SAN certificates validate the domains and hostnames of a website, while OV certificates also validate the existence of the owner behind the website.
What is the difference between a SAN certificate and Extended Validation (EV) certificate?
Extended Validation (EV) certificates offer the highest possible level of trust and assurance compared to SAN certificates. Validating an EV certificate is a rigorous process that (like a Domain Validated certificate) provides additional verification of the existence and validity of the organization that owns a certificate, where as SAN certificates secures a domain or hostname without verifying the organization’s identity. Extended Validation certificates will also have the verified organization’s name prominently displayed in the address bar of the web browser, along with the iconic ‘green padlock’ icon that we’ve all come to know and trust. These certificates provide users with clear visual queues that they are engaging with a trusted and legitimate website.
How to obtain a SAN certificate
What are the requirements of a SAN certificate?
- Provide proof of ownership over every domain name, hostname, or IP address that should be included in the certificate.
- Demonstrate this ownership by responding to a verification email to the requested domain name, publishing a particular DNS record, or uploading a test file to the website’s server.
- Payment of a fee, which will vary depending on the issuing Certificate Authority.
- Compliance with all standards and procedures of the issuing Certificate Authority, which may include additional documentation or information they may require
- Continued renewal and maintenance of the SAN certificate, as they are only valid for 1 – 2 years
What is the process to get a SAN Certificate?
Here is the step-by-step process of how to get a SAN certificate:
- Compile a list of all the domain, hostnames, or IP addresses you wish to consolidate under a SAN certificate.
- Research and select a reputable Certificate Authority that offers SAN certificates. Be sure to consider factors such as cost, validation processes, compliance requirements, and compatibility with your platform.
- Generate a Certificate Signing Request (CSR) for all the domains, hostnames, or IP addresses that are meant to be covered by the SAN certificate.
- Provide ownership verification of the domain names, hostnames, or IP addresses you need included in the SAN certificate (see above)
- Submit the CSR to your chosen Certificate Authority and order your new SAN certificate.
- Review the details of the SAN certificate before you begin installation to ensure that nothing was left out. Every single domain, hostname or IP address from your original request list should be included.
- Install the certificate, following the specific instructions of your platform. Ensure it is installed and configured correctly.
- Test the configuration of your SAN certificate to confirm all the domains, hostnames, or IP addresses you requested are now being secured.
- Monitor your SAN certificates for expiration and be sure to submit a renewal before it expires!
What are the best practices for implementing a SAN certificate?
To ensure the most robust encryption and steady protection for all the assets you choose to secure under a SAN certificate, there are a several best practices you should follow. The first best practice is to carefully consider which domains, hostnames, or IP addresses you will choose to include in your SAN certificate. Rather than just dumping every asset you can find into the request, take into consideration the future scalability of the certificates so you don’t bog it down with unneeded entries. This will ensure you are maximizing the security of the certificates you are including.
As mentioned above, it is vital to choose a trusted and reliable Certificate Authority. Research their track records for issuing certificates and ask questions about how they handle customer support requests. If you have any problems, you want to know you’ll be able to easily get the help you need.
Another best practice to follow is to use strong encryption algorithms to configure for your SAN certificate with substantial key lengths, for example RSA or ECC. This is just an added layer that will secure your data transmission and protect your communications from bad actors.
Finally, implement monitoring solutions to track the health and lifecycle of your SAN certificates. Expiration dates, potential security vulnerabilities, and certificate-related alerts are just some of the daily updates you never want to miss.
Advantages vs Disadvantages
We’ve already discussed the many advantages of SAN certificates. Some of these include the cost-efficiency and simplified management that comes with consolidating several certificates into one, the versatility that SAN certificates offer by being able to consolidate domains, hostnames, or IP addresses, and the enhanced security that is the natural result of ensuring consistent encryption standards and centralized security. There are, however, a few potential concerns with SAN certificates that you should be aware of:
- Configuration of SAN certificates can often be complex and requires detailed planning and expertise to avoid configuration mistakes that could leave all the certificates covered by the SAN field vulnerable.
- Large organizations that do not have a central IT infrastructure may find it challenging to verify ownership or control of multiple domains, hostnames, or IP addresses across an entire network. Errors in this process can often delay or even prevent the issuance of a SAN certificate.
- While securing several assets under one certificate has the cost and security benefits listed above, there is risk that is inherent with having a single point of failure. Compromise of just one certificate can lead to the vulnerability of every asset it is protecting, which could make a breach go from minor to major.
These are just some of security and complexity challenges that could possibly arise when dealing with SAN certificates, but this should not dissuade you. So long as you carefully weigh these factors, you will be able to successfully determine whether SAN certificates align with your organization’s security needs and infrastructure requirements.
One of the main benefits of SAN certificates are centralized management. To learn more about how consolidating all your certificate lifecycle management needs under one platform can benefit your organization, learn more about the Venafi Control Plane!