OpenSRS offers an impressive lineup of SSL certificate products.
Some certs are Subject Alternative Name or SAN certificates – they allow for more than one fully qualified domain name to be protected using a single certificate.
We’ve received a few queries about SAN certificates and how they differ from wildcard certs. With that in mind, I’ve put together a quick reference guide here.
Let’s start with a basic look at both wildcard and SAN certs.
- Wildcard: a wildcard certificate allows for unlimited subdomains to be protected with a single certificate. For example, you could use a wildcard certificate for the domain name opensrs.com and that cert would also work for mail.opensrs.com, ftp.opensrs.com and any other subdomain. The wildcard refers to the fact that the cert is provisioned for *.opensrs.com.
- SAN: a SAN cert allows for multiple domain names to be protected with a single certificate. For example, you could get a certificate for opensrs.com, and then add more SAN values to have the same certificate protect opensrs.org, opensrs.net and even tucows.com.
Some important things to note:
Depending on the specific brand and certificate product, the SAN cert will include either one or four additional domains at the price quoted on our chart. Additional SAN values can usually be added up to a maximum number of either 5 or 25 total domains (including the base domain).
In most cases, the SAN values can be changed at anytime during the life of the certificate – you’d just need to change the value, and then do a free re-issue.
When to choose a wildcard, and when to choose a SAN:
Wildcard certs are great for protecting multiple subdomains on a single domain. In many cases, the wildcard cert makes more sense than a SAN because it allows for unlimited subdomains and you don’t need to define them at the time of purchase. You could provision *.opensrs.com and in at anytime during the life of the certificate, you decided to add www3.opensrs.com or mail.opensrs.com, that cert would just work, no reissue required.
If, on the other hand, you need to protect multiple domain names, then the SAN certificate might be the right choice. Protecting alternative domains with the same website (opensrs.com and opensrs.net) is a great example. One caveat – you need to define the additional domains and add them to the certificate for it to work.
SAN certificates, like wildcard certs, are a great way to save some money and also to make administration a bit easier as you can reduce the number of certificates provisioned since they cover multiple domains.
One last note – the unique QuickSSL Premium with SAN:
We also sell a bit of a hybrid product – the GeoTrust QuickSSL Premium with SAN. This cert is a bit different than the rest of our SAN products. It allows for the protection of four subdomains in addition to the base domain. That makes it more like a restricted wildcard certificate than a true SAN. You also have to add the subdomains at the time of purchase, and they can’t be altered once the cert is provisioned.
You might wonder, as I did initially, why it even exists. Priced at $125, it’s a lower cost product that’s quite a bit cheaper than our least expensive wildcard certificate (the Comodo SSL Wildcard – $199). It’s also a domain-validated certificate (as opposed to being organizationally validated as all of our other SAN certs are) which means that issuance is fast.
For applications where you know the subdomains that you want to have protected, the GeoTrust QuickSSL Premium with SAN is a nice option.
Further questions? Just ask!
I hope that helps a bit in terms of understanding the applications for both these new SAN certificates and also for wildcard certs. Learn more about DV, OV and EV certificates.