SAN & UCC SSL certificates

dev, security comments edit

I used wildcard certificates in the past but didn’t come across SAN (Subject Alternative Name) before. Apparently what it does is allow you to define multiple domains with a single certificate.

  • A wildcard certificate works for multiple (unlimited) subdomains on a single domain.
  • SAN works for multiple domains (e.g. example.com, example.net etc). It has a limitation though. You can initially add up to 4 domain names. If you exceed that the next limit is 25

If I have to choose I’d still go with wildcards as they are cheaper but SAN seems to have its uses too

Wildcard certs are great for protecting multiple subdomains on a single domain. In many cases, the wildcard cert makes more sense than a SAN because it allows for unlimited subdomains and you don’t need to define them at the time of purchase. You could provision *.opensrs.com and in at anytime during the life of the certificate, you decided to add www3.opensrs.com or mail.opensrs.com, that cert would just work, no reissue required.

Then there is something called UCC (Unified Communications Certificate). This is a Microsoft thing which means

A Unified Communications Certificate (UCC) is an SSL certificate that secures multiple domain names and multiple host names within a domain name. A UCC lets you secure a primary domain name and up to 99 additional Subject Alternative Names (SANs) in a single certificate. UCCs are ideal for Microsoft® Exchange Server 2007, Exchange Server 2010, and Microsoft Live® Communications Server.

UCCs are compatible with shared hosting. However, the site seal and certificate "Issued To" information will only list the primary domain name. Please note that any secondary hosting accounts will be listed in the certificate as well, so if you do not want sites to appear 'connected' to each other, you should not use this type of certificate.

Resources

Comments