SAN SSL Certificate | What is Subject Alternative Name SSL Certificate?
Subject Alternative Name

08/05/2022 by admin with 0 comments

Use of Subject Alternative Name Field by Browsers in SSL Certificates

What is an SSL Certificate?

A virtual certificate that is intended for the authentication of the identity of a web page is known as an SSL certification. The term “SSL” is the abbreviation of “Secure Sockets Layer”. SSL certificates ensure that a user’s internet connection is securely encrypted without any scope of privacy breach. It generates a protocol of protection that essentially establishes a hyperlink between a web browser and a web server.


SSL certificates are required by major corporations or business organizations during the creation of their official website. As a result, all transactions between an organization and their clients are strongly safeguarded and privacy of customer details is ensured. 


In a nutshell, the predominant role of an SSL certificate is establishing secure connections and preventing access of unauthorized sources that may potentially cause harm to personal data.


Usage of Subject Alternative Names


A Subject Alternative Name field (abbreviated to “SAN”) is primarily required for providing users with the ability to be specific about additional host names ( i.e., IP addresses, site names, common names and so on). These supplementary details will also be safeguarded by an SSL certificate in the form of either a “Multi-Domain Certificate” or an “Extra Validation Multi Domain Certificate”. 


SAN finds maximum usage in securing host names on various domains in just one SSL certificate. A Subject Alternative Field is particularly utilized for the affiliation of storage. It can be alternatively stated that SAN is an organized method of indication of all IP addresses and domain names that are necessary to be secured. 


Use of SAN by browsers


When the browser that you are using tries to establish a connection using the HTTPS hyperlink, it first ensures the name matching between your SSL certificate and the host name that is exhibited in the address bar of the website in question. 


There are technically three methods of ensuring name compatibility are:

  • First Name Compatibility: the host name present in the address bar of the web server is precisely the same as the name displayed on the SSL certificate of that particular web page.
  • Wildcard common name compatibility: The host name must contain some matches with any random wildcard common name. For instance, the URL “” is compatible with “*”, which is a common name.
  • SAN field: The name of the host web page must be available in the Selective Alternative Name (SAN) field. 


The most typical method of SSL name matching involves a comparison between the server name and the Common Name in the server’s Certificate performed by the SSL client. All SSL clients will almost definitely help accurate common name matching. 


If a Subject Alternative Name (SAN) field is present in an SSL certificate, SSL clients are expected to skip the Common Name value and look for a match in the SAN list instead. Due to this, DigiCert’s certifications always start with the generic term as the first SAN.


Which SSL clients let the use of subject alternative names? 


Subject Optional Names and Wildcard Certificates are supported by the majority of smartphones, although only exact Common Name matching is supported by all of them.


Some of the clients that allows the usage of SAN field are:

  • Search Engines: Internet Explorer aws the first web browser that began the usage of SAN field, since the time period when Windows 98 was active. Other popular search engines that support Subject Alternative Names are Firefox, Safari, Opera and Netscape. They have been using this field of certification since 2003.
  • Microsoft Edge: The most updated browser that has been released by Microsoft supports SAN.
  • Windows Mobile 5: SAN is supported on Windows Mobile 5. However, it contains a drawback as well. It does not reinforce Wildcard common name matching during the reviewing of name compatibility. 
  • Windows Mobile 6: This platform approves the usage of SAN. Unlike Windows Mobile 5, it has the capability to support Wildcard name matching as well.
  • Newer Palm Treo: The recent launches of these devices make use of Windows Mobile 5. However, the previous models use VersaMail and PalmOS. The older versions do not support SAN. VersaMail is used for ActiveSync on these devices, which run PalmOS. The matching of Subject Alternative Names is not supported by these older Treos.
  • Smart phones with Symbian OS: The recent smartphones that contain the newer version of Symbian OS support Subject Alternative Name matching. This is applicable for devices that use version 9.2 and later. Older Symbian-powered smartphones: Symbian OS 9.1 and before do not enable Subject Alternative Name matching. In Symbian OS 9.2, this issue appears to be rectified.


Since all smart phones are not capable of supporting SAN field, the safest option is to program your common name in such a way that it is compatible with the name that will be used in the majority of cell phones. Otherwise it may be observed that no alternative certificate subject name matches target host name.


No Subject Alternative DNS Name Matching:


This exception during the execution of a certificate is faced by the user when there is an attempt to establish a secure connection over SSL certification and the host name is not validated in comparison to the SSL certificate of the server in question.  


In case a particular web page is making use of Subject Alternative Names, the host name of the requesting server must be a compatible match with one of the SAN fields. If the SSL certificate of the server in question does not contain SANs, in that case there must be a match with the common name of the certificate. 


Final Thoughts


It has already been established how important SSL certificates are in terms of encryption and security. Not only do they enhance security, but also verify the authenticity of websites, convey a trustworthy message to users and clients as well as minimize chances of attackers from creating a fake prototype. In case your website requests a customer’s private information, an SSL certification is mandatory. 

Leave Comment