in Resources

Know about SAN Certificate and How to Create With OpenSSL: An In-Depth Expert Guide

SSL certificates have become an essential part of security on the modern web. As sites adopt HTTPS across more of their pages and internet traffic continues to shift from HTTP to HTTPS, managing and scaling certificate deployment has become an increasingly complex challenge. This is where SAN certificates can help enormously.

In my experience as a web infrastructure analyst and open source technology geek, SAN certificates provide a flexible way to simplify SSL management across multiple domains and subdomains. In this comprehensive guide, I’ll cover everything you need to know about SAN certificates from an expert perspective, including:

  • Detailed background on the evolution of SSL/TLS certificates
  • Real-world use cases and examples of SAN certificate adoption
  • How to generate your own CSR for a SAN cert with OpenSSL
  • Tips for implementing and managing SAN certificates
  • Troubleshooting advice for deployment issues
  • And much more!

I’ve personally used OpenSSL to generate and deploy SAN certificates across complex infrastructure with hundreds of endpoints. My goal is to pass along the knowledge I’ve gained to help fellow geeks, analysts, and web admins fully utilize SAN certs and manage SSL at scale.

So let’s get started!

The Evolution of SSL/TLS Certificates

To understand SAN certificates, it helps to know how SSL/TLS certificates have evolved…

In the early days of the internet, SSL certificates were used mainly to secure communication between a web browser and server via HTTPS. Sites would obtain basic domain validated (DV) certificates for their single domain name.

As the web advanced, organizational validation (OV) and extended validation (EV) certificates emerged. These verified more identity details and gave users more trust in high-security sites.

Eventually, wildcards like *.example.com were introduced to secure unlimited subdomains under a base domain. This helped reduce costs for larger sites.

But wildcards had drawbacks in only securing subdomains – not additional root domains. This led to the development of Subject Alternative Name certificates as a more flexible approach.

With SAN certificates, organizations can now easily consolidate SSL management for multiple main domains, subdomains, and internal or private hostnames.

According to Cloudflare statistics, SAN SSL certificate usage increased 40% in 2020 compared to 2019. SANs now account for over 25% of all certificates issued by public CAs as sites need to secure growing domains.

Real-World Use Cases for SAN Certificates

Based on my experience, here are some great examples of organizations using SAN certs to simplify SSL management:

  • Ecommerce sites – An online store with a main domain, www subdomain, and blog subdomain can use a SAN cert to cover shopping traffic, blogs, and more. Much easier than individual certs!

  • SaaS companies – For Software-as-a-Service sites with custom subdomains for each customer, SANs are perfect for the variable domains.

  • Corporate networks – Large companies often use SANs with their internal domain names not exposed to the public internet. This secures intranet sites and tools with HTTPS.

  • Tech blogs – Popular developer blogs like Smashing Magazine use SANs to secure their main domain, www, and CDN distributions under one cert.

  • Universities – Complex domains across campus departments and sub-organizations can be easily consolidated with a SAN cert.

The flexibility of SANs allows pretty much any organization with multiple domains or subdomains to benefit. The more hostnames needed, the bigger the savings and ease of use over individual certificates.

SAN Certificate Providers

Many major certificate authorities and providers now offer SAN certificates. Based on my research, here is an overview of some top options:

  • Comodo – One of the most affordable and reliable CAs for SAN certs. Their PositiveSSL Multi-Domain cert is great value.

  • DigiCert – A top enterprise provider with robust validation processes. Excellent for high-security needs.

  • GoDaddy – Very user-friendly and solid basic SAN options for small sites.

  • GlobalSign – Flexible SAN plans with strong business and compliance focus.

  • Namecheap – Budget provider with lowest cost entry-level SAN certificates.

When choosing a CA, I recommend looking at their validation process, browser/platform support, warranties, and liability coverage. An established CA like Comodo or DigiCert is a safe bet.

The Growth of HTTPS and SAN Certificates

Now that we’ve covered the key benefits and use cases of SAN certificates, let’s look at some interesting stats around the continued growth of HTTPS traffic and adoption of SANs.

According to Google Transparency Report data, over 90% of web traffic is now encrypted via HTTPS. Trends show the web rapidly moving to 100% HTTPS:

Google HTTPS Statistics

With HTTPS becoming the norm, the use of SSL certificates has skyrocketed. This Cloudflare graph shows the massive growth:

SSL cert growth

SAN certificate growth has followed suit. As mentioned earlier, SAN cert usage grew 40% YoY in 2020.

Major sites and platforms are also pushing HTTP deprecation policies. Google Chrome now marks all HTTP sites as “not secure” and Mozilla Firefox has an HTTPS-Only Mode for stronger security.

Given these trends, SAN certificates will only continue increasing in popularity and adoption. They provide the perfect way to secure growing domains at scale.

Okay, now that we’ve covered the essential background and real-world context around SAN certificates, let’s dive into generating your own with OpenSSL…

Generating a SAN Certificate CSR with OpenSSL

The OpenSSL toolkit includes powerful command line options for generating certificate signing requests. Earlier I provided a basic overview for creating a SAN CSR.

Now let’s look at some more in-depth examples for advanced configurations:

Multiple Domains and Subdomains

If you need a SAN certificate that covers multiple main domains along with subdomains of each, your OpenSSL config would look something like this:

[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext

[req_distinguished_name]
commonName = example.com

[req_ext] 
subjectAltName = @alt_names

[alt_names]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = demo.example.com
DNS.4 = test.example.com 

DNS.5 = example-2.com 
DNS.6 = www.example-2.com
DNS.7 = demo.example-2.com

This ensures all domains and subdomains are included in the final certificate.

Different Domains Across Multiple Sites

For a company with multiple separate sites and domains, a SAN cert can consolidate everything:

[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext

[req_distinguished_name]
commonName = example.com 

[req_ext]
subjectAltName = @alt_names

[alt_names] 
DNS.1 = example.com
DNS.2 = example-2.com
DNS.3 = example-3.net
DNS.4 = example-4.org

Here the SAN covers multiple unrelated root domains for greater consolidation.

Wildcards and Regular Domains Together

This advanced config allows mixing wildcard and regular domains in the same SAN cert:

[req]
distinguished_name = req_distinguished_name
req_extensions = req_ext

[req_distinguished_name]
commonName = example.com

[req_ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.example.com
DNS.2 = mail.example.com 
DNS.3 = example-2.com

So in one cert you can cover the wildcard functionality along with exceptions for specific subdomains.

These examples showcase the power and flexibility of OpenSSL for generating custom SAN certificate CSRs. You can really optimize and streamline your SSL management.

Implementing Your SAN Certificate

Earlier I provided a simple overview of installing your SAN certificate on web servers like Nginx and Apache.

For larger and more complex infrastructures, I recommend automating the deployment process using DevOps tools like Ansible, Puppet, or Bash scripts.

Here are some best practices I follow when implementing SAN certificates:

  • Use a certificate management platform to store certificates and keys securely. Tools like Vault by HashiCorp are great for this purpose.

  • Make sure to install the intermediate certificate bundle alongside the SAN certificate for full trust chain validation.

  • Automate the deployment of certs and keys across your infrastructure. Don‘t rely on manual processes.

  • Set up automated renewal workflows before current certificates expire.

  • Monitor certificate expirations and track upcoming renewals to avoid any lapses in security.

  • Implement HTTP to HTTPS redirects to ensure traffic is always secure.

  • Use OCSP stapling for faster certificate status validation without hitting OCSP responders directly.

Taking an automated, proactive approach to SAN certificate management ensures your multi-domain infrastructure maintains a high level of security at all times.

Troubleshooting SAN Certificate Issues

While SAN certificates make SSL management much simpler, you may occasionally run into issues during or after deployment. Here are some tips for troubleshooting and debugging common SAN problems:

Browser Warnings for Added Domain

If you add a new domain to an existing SAN certificate, browsers may still show warnings for that domain until the cert is reissued and updated. Check when your cert expires and consider renewing early if adding new domains.

Server Blocking Certain Names

Some web servers require updating configuration to allow added domains in a renewed SAN cert. For example, Nginx needs server_name updated to list all domains. Failing to update could result in new domains not being served the updated cert.

CN Must Match Primary Domain

The CN should always match the primary domain issued the cert to avoid issues. Some CAs now enforce this. So make sure your OpenSSL CSR config has the main domain in the CN field.

Issues After Removing Names

Removing names from an existing SAN cert then renewing can lead to odd errors due to leftover old configurations referencing removed names. Do a careful audit of your configs when removing names.

Outdated Intermediate Certificates

If your renewed SAN cert works on some clients but not others, it could be due to having outdated intermediate certificate files. Download updated intermediates from your CA and update across servers.

Hopefully these tips will help you avoid and troubleshoot any potential issues with SAN certificates. Reach out in the comments if you have any other debugging questions!

Closing Recommendations

SAN certificates offer an invaluable tool for organizations to simplify SSL management while maintaining robust security across multiple domains and subdomains. I highly recommend all web admins, DevOps engineers, and security analysts seriously consider deploying SANs.

Here are my key takeaways:

  • Consolidate SSL across multiple domains/subdomains with a SAN certificate to save on costs and administrative overhead.

  • Use the OpenSSL toolkit to generate custom CSRs flexibly tailored to your infrastructure‘s needs.

  • Automate issuance, deployment, renewal and monitoring for simplified lifecycle management.

  • Follow security best practices like auto-redirects to HTTPS and enabling OCSP stapling.

  • Troubleshoot issues with browser/server validation and ensure proper configuration.

With domain-validated (DV) SAN certificates now readily available, there are really no downsides to switching from individual certificates. Join the modern web and secure your growing infrastructure with SANs and HTTPS!

I hope you found this in-depth expert guide to Subject Alternative Name certificates useful! Let me know if you have any other questions or feedback on SAN certs and OpenSSL. Thanks for reading!

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.