← Back to Blog
explainer

Multi-Domain SAN SSL Certificates Explained: One Cert for Multiple Domains

Managing separate SSL certificates for each domain on a server gets old fast. A multi-domain SAN certificate (also called a UCC or multi-domain certificate) lets you list multiple fully qualified domain names on a single certificate — different root domains, different subdomains, or a mix of both. One certificate, one renewal, one installation.

🔒

Free SSL Checker

View all SANs on your certificate and confirm every domain is covered.

Try It Free →

The right choice depends on your situation. Use a wildcard when you control all subdomains of one domain and frequently add new ones. Use a SAN certificate when you need to cover multiple different root domains, or when you only need specific subdomains rather than all of them.

How to Generate a CSR for Multiple Domains

When requesting a multi-domain certificate, you need a CSR that includes the SAN extension. The Common Name alone isn't sufficient. Use OpenSSL with a configuration file:

First, create a file called san.cnf:

[req] default_bits = 2048 prompt = no default_md = sha256 req_extensions = req_ext distinguished_name = dn [dn] C = US ST = California L = San Francisco O = Your Company Name CN = example.com [req_ext] subjectAltName = @alt_names [alt_names] DNS.1 = example.com DNS.2 = www.example.com DNS.3 = example.net DNS.4 = www.example.net DNS.5 = shop.example.org

Then generate the CSR:

openssl req -new -newkey rsa:2048 -nodes \ -keyout multi-domain.key \ -out multi-domain.csr \ -config san.cnf

Submit the multi-domain.csr to your CA. They'll validate each domain listed (via email, file, or DNS validation) and issue a certificate covering all of them.

Verifying SANs on an Existing Certificate

To check which domains a certificate already covers:

# Check SANs on a live server openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null \ | openssl x509 -noout -text | grep -A5 "Subject Alternative Name" # Check SANs in a certificate file openssl x509 -in certificate.crt -noout -text | grep -A5 "Subject Alternative Name"

Installing a Multi-Domain Certificate

Installation is identical to any other certificate — same files, same directives. The server presents the certificate and browsers automatically check whether the domain in the URL matches any SAN in the certificate. The web server needs no special configuration to handle multiple domains on one certificate:

# Apache — the same certificate works for all SANs # Add a separate VirtualHost block per domain <VirtualHost *:443> ServerName example.com SSLCertificateFile /etc/ssl/multi-domain.crt SSLCertificateKeyFile /etc/ssl/multi-domain.key SSLCertificateChainFile /etc/ssl/chain.crt </VirtualHost> <VirtualHost *:443> ServerName example.net SSLCertificateFile /etc/ssl/multi-domain.crt SSLCertificateKeyFile /etc/ssl/multi-domain.key SSLCertificateChainFile /etc/ssl/chain.crt </VirtualHost>

Managing SAN Certificates: Key Considerations

  • Adding a domain means reissuing: Every new domain requires a new CSR and reissuance from the CA. Budget time for this when planning to add domains.
  • Domain validation per SAN: Each domain listed must be validated by your CA. For DV (Domain Validation) certificates, this means you need access to email or DNS records for every domain.
  • Revocation affects all SANs: If the certificate is revoked (e.g., private key compromised), all domains on the certificate are affected simultaneously. High-risk domains should have their own certificates.
  • Renewal timing: Renew before the earliest expiry impact. Set a reminder well before the certificate expires — all covered domains go down at once.
One private key protects all your domains. With a multi-domain certificate, a single compromised private key gives an attacker the ability to impersonate every domain on the certificate. Store the private key securely and consider whether grouping sensitive domains together is the right tradeoff.

FAQs

  • How many domains can I put on one SAN certificate?
    CAs typically allow up to 100 SANs on a single certificate. Let's Encrypt allows up to 100 SANs per certificate as well. Most practical use cases are well under this limit.
  • Can I mix different types of domains — like a root domain and a subdomain — on one SAN cert?
    Yes. You can list example.com, www.example.com, blog.example.com, and completely unrelated domains like myotherdomain.net all on the same certificate. The only requirement is that you can validate ownership of each domain listed.
  • Does Let's Encrypt support multi-domain SAN certificates?
    Yes. You can request up to 100 SANs with Certbot using the -d flag for each domain: certbot certonly -d example.com -d www.example.com -d example.net. Note that all domains must resolve to a server you can prove control of.

Generating Multi-Domain CSRs on Windows

Windows Server certreq / PowerShell

Windows has two methods for generating a SAN CSR: the built-in certreq tool (no third-party software needed) or OpenSSL on Windows (same syntax as Linux).

Method 1: certreq with SAN INF File

Create a file called C:\ssl\san.inf:

[Version] Signature="$Windows NT$" [NewRequest] Subject = "CN=example.com, O=Your Company, L=City, S=State, C=US" KeySpec = 1 KeyLength = 2048 Exportable = TRUE MachineKeySet = TRUE RequestType = PKCS10 HashAlgorithm = SHA256 [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.1 ; Server Authentication [Extensions] 2.5.29.17 = "{text}" _continue_ = "dns=example.com&" _continue_ = "dns=www.example.com&" _continue_ = "dns=example.net&" _continue_ = "dns=www.example.net&" _continue_ = "dns=shop.example.org&"
:: Generate the CSR (private key stored in Windows Certificate Store) mkdir C:\ssl certreq -new C:\ssl\san.inf C:\ssl\multi-domain.csr :: View the CSR to verify SANs are included certutil -dump C:\ssl\multi-domain.csr | findstr /i "dns" :: After your CA issues the certificate: certreq -accept certificate.crt

Method 2: OpenSSL on Windows (Identical to Linux)

:: Install OpenSSL winget install ShiningLight.OpenSSL :: Create the same san.cnf file shown in the Linux section above :: Then run — identical commands as Linux: openssl genrsa -out multi-domain.key 2048 openssl req -new -key multi-domain.key -out multi-domain.csr -config san.cnf :: Verify SANs are in the CSR openssl req -text -noout -in multi-domain.csr | findstr /i "dns"

Multi-Domain Certificates in IIS

Once your CA issues the multi-domain certificate, import it as a PFX and bind it to each site in IIS. The SAN domains are embedded in the certificate — IIS presents the correct certificate for each domain listed in the SAN automatically.

# Import the multi-domain PFX $pw = ConvertTo-SecureString "exportPassword" -AsPlainText -Force $cert = Import-PfxCertificate ` -FilePath "C:\inetpub\ssl\multi-domain.pfx" ` -CertStoreLocation Cert:\LocalMachine\My ` -Password $pw # Verify all SANs are present in the imported cert $cert.DnsNameList | Select-Object -ExpandProperty Unicode # Bind to multiple IIS sites with one certificate Import-Module WebAdministration $thumbprint = $cert.Thumbprint foreach ($site in @("example.com", "example.net", "shop.example.org")) { New-WebBinding -Name $site -Protocol https -Port 443 -HostHeader $site -ErrorAction SilentlyContinue $binding = Get-WebBinding -Name $site -Protocol https $binding.AddSslCertificate($thumbprint, "My") Write-Host "Bound multi-domain cert to $site" }

Multi-Domain Certificates on macOS

macOS Terminal / Homebrew

On macOS, generate the SAN CSR using the same san.cnf and OpenSSL commands from the Linux section — the syntax is identical. macOS ships with LibreSSL (compatible), or install full OpenSSL via brew install openssl.

# Generate multi-domain CSR on macOS — same as Linux: openssl genrsa -out multi-domain.key 2048 openssl req -new -key multi-domain.key -out multi-domain.csr -config san.cnf # Verify SANs are included openssl req -text -noout -in multi-domain.csr | grep -A5 "Subject Alternative" # For Homebrew Apache — configure multiple server blocks pointing to the same cert: # In /opt/homebrew/etc/httpd/extra/httpd-ssl.conf, add multiple VirtualHost blocks # each pointing to the same SSLCertificateFile (the multi-domain cert covers them all) # Trust a multi-domain cert for local dev: sudo security add-trusted-cert -d -r trustRoot \ -k /Library/Keychains/System.keychain multi-domain.crt

Generate a multi-domain CSR for your certificate

Create a CSR with multiple SANs for any CA. Our CSR Generator includes SAN field support.