SAN vs. wildcard certificates – what’s the difference?

OpenSRS offers an impressive lineup of SSL certificate products.

We’ve received a few queries about Subject Alternative Name (SAN) certificates and how they differ from wildcard certs. With that in mind, I’ve put together a quick reference guide here.

Let’s start with a basic look at both wildcard and SAN certs.

What is a SAN Certificate?

In this case, a single certificate for digicert.com also protects thawte.com.

SAN certificates allow for multiple fully qualified domain names to be protected using a single certificate.

For example, you could get a certificate for the primary domain, opensrs.com, and then add more SAN values to have the same certificate protect opensrs.org, opensrs.net, and even tucows.com.

What is a Wildcard Certificate?

A wildcard SSL certificate, on the other hand, allows for unlimited subdomains to be protected with a single certificate.

For example, you could use a wildcard certificate for the primary domain name, opensrs.com, and that cert would also work for mail.opensrs.com, ftp.opensrs.com, and any other subdomain. The wildcard refers to the fact that the cert is provisioned for *.opensrs.com.

Here’s a handy graphic that summarizes the difference:



When to choose a wildcard and when to choose a SAN certificate

Wildcard certs are great for protecting multiple subdomains on a single domain. In many cases, the wildcard cert makes more sense than a SAN because it allows for unlimited subdomains and you don’t need to define them at the time of purchase. You could provision *.opensrs.com and if at anytime during the life of the certificate, you decided to add www3.opensrs.com or mail.opensrs.com, that certificate would automatically protect these subdomains, no reissue required.

If, on the other hand, you need to protect multiple domain names, then the SAN certificate might be the right choice. For example, if you wanted to protect opensrs.com and opensrs.net. One caveat – you need to define the additional domains and add them to the certificate (reissue required) for it to work. We’ve got a knowledge base article, How to add SAN(s) to an existing SSL certificate, that walks you through this process.

SAN certificates, like wildcard certs, are a great way to save some money and also to make administration a bit easier, as you can reduce the number of certificates provisioned since they cover multiple domains.

Some important things to note:

Most of the SSL certificates we sell that support SANs allow you to cover up to 250 domain names (including the primary domain name), and you simply pay a fee for each additional domain name you add. In most cases, the SAN values can be changed at any time during the life of the certificate – you just need to change the value, and then do a free re-issue.

Further questions? Just ask!

I hope that helps a bit in terms of understanding the applications for both SAN certificates and wildcard certs. We’ve answered a lot of common questions about SSL certificates, including the different levels of authentication they provide, (DV, OV, and EV SSL certificates), on our blog. If you need further help, we encourage you to contact our support team.

22 thoughts on “SAN vs. wildcard certificates – what’s the difference?

  1. Hi,

    So if I have
    one domain and three subdomains does it make sence to get the wildcard cert? If
    the SSL cert is compromised for mail.company.com does that mean http://www.company.com
    is compromised too?

    Thank you,

    ST

  2. A wildcard sounds like the best option for you to protect a domain plus unlimited subdomains. You’d get a cert for *.company.com which would handle http://www.company.com, mail.company.com and any other subdomain you might have.

    As for the second part of the question, I’m not sure what you mean by “if the SSL cert is compromised”. A Certificate Authority could be compromised and all the certs could be revoked, but that is exceptionally rare and very unlikely for the Certificate Authorities that we sell through OpenSRS.

  3. Thanks for the
    quick reply and information. I did not know that the CA would need to be
    compromised in order for the cert to be revoked. That makes sense.

    Thanks again.

  4. Hi,

    I am wondering if we can use canonical name in the wildcard certificate to add sites in other domains for example if we have a *mydomain.com certificate, can we add
    mail1.mydomain.com which is a mask for server1.mydomain.NET into the existing *.mydomain.com certificate? Thanks
    Lee

  5. Hi,
    What if I have a SAN certificate that has multiple domains on it but I now have a requirement to protect multiple sub domains on one of the domains. Does the domain in question have to be taken off the SAN cert and a new wildcard cert purchased for the domain in question or is there a way to combine the two i.e. apply a wildcard cert to a SAN domain?

    Thanks

    KH

  6. I always got my ssl certs from Comodo – and last switched to RapidSSL (GeoTrust?) – now I’m getting a ‘name mismatch error’ on my https pages. Error given is:
    The certificate is not trusted because no issuer chain was provided.
    http://www.mycompany.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. The certificate is only valid for mycompany.com (Error code: sec_error_unknown_issuer).

    Never had this before – should I have got a SAN cert? or is there a fix for this within the IIS7.5 server?

  7. I use Comodo as well because it secures both the root domain name “example.com” as well as the “www” subdomain “www.example.com” meaning you can use any of those 2 names. With other CAs, you need to check whether they support both, because in some cases they just issue the certificate for the domain name you have specified. In your case that most likely was “mycompany.com”, so subdomain “www” is not covered. Just check your cert info under “Certificate Subject Alternative Name” to make sure you see both the root domain and the subdomain.

  8. It actually wouldn’t necessarily be handled by the wildcard. `example.com` and `*.example.com` are different domain names. In practise, though, all wildcard certs I’ve seen also include the bare domain as an alternative name (or vice versa). So you’ll get one cert which covers `example.com` and `*.example.com`. In principle, though, it would be possible to get a cert which covers only `*.example.com` and not `example.com` itself.

    TRiG.

  9. One query on this. Is it possible to change the primary domain that was originally registered? For example if I registered with example1.com and then registered 4 additional SANs example2.com example3.com etc. Am I then able to later change that primary domain example1.com to example2.com for instance?

  10. Hello,

    To answer your question, you cannot change the root domain the SAN SSL has been issued to.

  11. I’m looking at sub sub domains as we expand into different regions.

    Based on my understanding it should be possible to have a WILDCARD SAN that supports sub.domain.tld and sub.sub.domain.tld

    In our case it would be server.countrycode.domain.tld, the issue with our wildcard for *.domain.tld it does not match on sub.*.domain.tld

    After talking with COMODO they suggested creating a certificate for *.domain.tld and adding a SAN for *.*.domain.tld

    As for how it works with OpenSRS i’m not entirely sure.

    Based on the trust interface we don’t have an option for Comodo SAN

    GeoTrust TrueBusinessID SAN seems to support it; but i’m not sure if i can register both sub and sub-subdomains

    Based on my understanding i might need to purchase *.domain.tld wildcard and then *.ca.domain.tld *.us.domain.tld and *.eu.domain.tld wildcards;

    But then wouldn’t a SAN wildcard support this in the “4 to 10” supported domains?

  12. Hello, A general Question, if i buy a SAN certificate for multiple domains x.com y.net z.org and i wish to conceal all possible information within the SAN certificate, meaning if a client access x.com he would see that this crt is only for x.com and not to display all other domains in this CRT , is it a possible sceinario ?

Leave a Reply