SAN and wildcard certificates – what’s the difference?

OpenSRS offers an impressive lineup of SSL certificate products.

Some certs are Subject Alternative Name or SAN certificates – they allow for more than one fully qualified domain name to be protected using a single certificate.

The certificate information for a GeoTrust EV certificate with the SAN option. In this case, a single certificate for geotrust.com also protects geotrust.net.

We’ve received a few queries about SAN certificates and how they differ from wildcard certs. With that in mind, I’ve put together a quick reference guide here.

Let’s start with a basic look at both wildcard and SAN certs.

  • Wildcard: a wildcard certificate allows for unlimited subdomains to be protected with a single certificate. For example, you could use a wildcard certificate for the domain name opensrs.com and that cert would also work for mail.opensrs.com, ftp.opensrs.com and any other subdomain. The wildcard refers to the fact that the cert is provisioned for *.opensrs.com.
  • SAN: a SAN cert allows for multiple domain names to be protected with a single certificate. For example, you could get a certificate for opensrs.com, and then add more SAN values to have the same certificate protect opensrs.org, opensrs.net and even tucows.com.

Some important things to note:

Depending on the specific brand and certificate product, the SAN cert will include either one or four additional domains at the price quoted on our chart. Additional SAN values can usually be added up to a maximum number of either 5 or 25 total domains (including the base domain).

In most cases, the SAN values can be changed at anytime during the life of the certificate – you’d just need to change the value, and then do a free re-issue.

When to choose a wildcard, and when to choose a SAN:

Wildcard certs are great for protecting multiple subdomains on a single domain. In many cases, the wildcard cert makes more sense than a SAN because it allows for unlimited subdomains and you don’t need to define them at the time of purchase. You could provision *.opensrs.com and in at anytime during the life of the certificate, you decided to add www3.opensrs.com or mail.opensrs.com, that cert would just work, no reissue required.

If, on the other hand, you need to protect multiple domain names, then the SAN certificate might be the right choice. Protecting alternative domains with the same website (opensrs.com and opensrs.net) is a great example. One caveat – you need to define the additional domains and add them to the certificate for it to work.

SAN certificates, like wildcard certs, are a great way to save some money and also to make administration a bit easier as you can reduce the number of certificates provisioned since they cover multiple domains.

One last note – the unique QuickSSL Premium with SAN:

We also sell a bit of a hybrid product – the GeoTrust QuickSSL Premium with SAN. This cert is a bit different than the rest of our SAN products. It allows for the protection of four subdomains in addition to the base domain. That makes it more like a restricted wildcard certificate than a true SAN. You also have to add the subdomains at the time of purchase, and they can’t be altered once the cert is provisioned.

You might wonder, as I did initially, why it even exists. Priced at $125, it’s a lower cost product that’s quite a bit cheaper than our least expensive wildcard certificate (the Comodo SSL Wildcard – $199). It’s also a domain-validated certificate (as opposed to being organizationally validated as all of our other SAN certs are) which means that issuance is fast.

For applications where you know the subdomains that you want to have protected, the GeoTrust QuickSSL Premium with SAN is a nice option.

Further questions? Just ask!

I hope that helps a bit in terms of understanding the applications for both these new SAN certificates and also for wildcard certs. Learn more about DV, OV and EV certificates.

22 thoughts on “SAN and wildcard certificates – what’s the difference?

  1. Hi,

    So if I have
    one domain and three subdomains does it make sence to get the wildcard cert? If
    the SSL cert is compromised for mail.company.com does that mean http://www.company.com
    is compromised too?

    Thank you,

    ST

  2. A wildcard sounds like the best option for you to protect a domain plus unlimited subdomains. You’d get a cert for *.company.com which would handle http://www.company.com, mail.company.com and any other subdomain you might have.

    As for the second part of the question, I’m not sure what you mean by “if the SSL cert is compromised”. A Certificate Authority could be compromised and all the certs could be revoked, but that is exceptionally rare and very unlikely for the Certificate Authorities that we sell through OpenSRS.

  3. Thanks for the
    quick reply and information. I did not know that the CA would need to be
    compromised in order for the cert to be revoked. That makes sense.

    Thanks again.

  4. Hi,

    I am wondering if we can use canonical name in the wildcard certificate to add sites in other domains for example if we have a *mydomain.com certificate, can we add
    mail1.mydomain.com which is a mask for server1.mydomain.NET into the existing *.mydomain.com certificate? Thanks
    Lee

  5. Hi,
    What if I have a SAN certificate that has multiple domains on it but I now have a requirement to protect multiple sub domains on one of the domains. Does the domain in question have to be taken off the SAN cert and a new wildcard cert purchased for the domain in question or is there a way to combine the two i.e. apply a wildcard cert to a SAN domain?

    Thanks

    KH

  6. I always got my ssl certs from Comodo – and last switched to RapidSSL (GeoTrust?) – now I’m getting a ‘name mismatch error’ on my https pages. Error given is:
    The certificate is not trusted because no issuer chain was provided.
    http://www.mycompany.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. The certificate is only valid for mycompany.com (Error code: sec_error_unknown_issuer).

    Never had this before – should I have got a SAN cert? or is there a fix for this within the IIS7.5 server?

  7. I use Comodo as well because it secures both the root domain name “example.com” as well as the “www” subdomain “www.example.com” meaning you can use any of those 2 names. With other CAs, you need to check whether they support both, because in some cases they just issue the certificate for the domain name you have specified. In your case that most likely was “mycompany.com”, so subdomain “www” is not covered. Just check your cert info under “Certificate Subject Alternative Name” to make sure you see both the root domain and the subdomain.

  8. It actually wouldn’t necessarily be handled by the wildcard. `example.com` and `*.example.com` are different domain names. In practise, though, all wildcard certs I’ve seen also include the bare domain as an alternative name (or vice versa). So you’ll get one cert which covers `example.com` and `*.example.com`. In principle, though, it would be possible to get a cert which covers only `*.example.com` and not `example.com` itself.

    TRiG.

  9. One query on this. Is it possible to change the primary domain that was originally registered? For example if I registered with example1.com and then registered 4 additional SANs example2.com example3.com etc. Am I then able to later change that primary domain example1.com to example2.com for instance?

  10. I’m looking at sub sub domains as we expand into different regions.

    Based on my understanding it should be possible to have a WILDCARD SAN that supports sub.domain.tld and sub.sub.domain.tld

    In our case it would be server.countrycode.domain.tld, the issue with our wildcard for *.domain.tld it does not match on sub.*.domain.tld

    After talking with COMODO they suggested creating a certificate for *.domain.tld and adding a SAN for *.*.domain.tld

    As for how it works with OpenSRS i’m not entirely sure.

    Based on the trust interface we don’t have an option for Comodo SAN

    GeoTrust TrueBusinessID SAN seems to support it; but i’m not sure if i can register both sub and sub-subdomains

    Based on my understanding i might need to purchase *.domain.tld wildcard and then *.ca.domain.tld *.us.domain.tld and *.eu.domain.tld wildcards;

    But then wouldn’t a SAN wildcard support this in the “4 to 10” supported domains?

  11. Hello, A general Question, if i buy a SAN certificate for multiple domains x.com y.net z.org and i wish to conceal all possible information within the SAN certificate, meaning if a client access x.com he would see that this crt is only for x.com and not to display all other domains in this CRT , is it a possible sceinario ?

Leave a Reply