Multi-Domain SAN SSL Certificates Explained: One Cert for Multiple Domains
Managing separate SSL certificates for each domain on a server gets old fast. A multi-domain SAN certificate (also called a UCC or multi-domain certificate) lets you list multiple fully qualified domain names on a single certificate — different root domains, different subdomains, or a mix of both. One certificate, one renewal, one installation.
Free SSL Checker
View all SANs on your certificate and confirm every domain is covered.
Try It Free →The right choice depends on your situation. Use a wildcard when you control all subdomains of one domain and frequently add new ones. Use a SAN certificate when you need to cover multiple different root domains, or when you only need specific subdomains rather than all of them.
How to Generate a CSR for Multiple Domains
When requesting a multi-domain certificate, you need a CSR that includes the SAN extension. The Common Name alone isn't sufficient. Use OpenSSL with a configuration file:
First, create a file called san.cnf:
Then generate the CSR:
Submit the multi-domain.csr to your CA. They'll validate each domain listed (via email, file, or DNS validation) and issue a certificate covering all of them.
Verifying SANs on an Existing Certificate
To check which domains a certificate already covers:
Installing a Multi-Domain Certificate
Installation is identical to any other certificate — same files, same directives. The server presents the certificate and browsers automatically check whether the domain in the URL matches any SAN in the certificate. The web server needs no special configuration to handle multiple domains on one certificate:
Managing SAN Certificates: Key Considerations
- Adding a domain means reissuing: Every new domain requires a new CSR and reissuance from the CA. Budget time for this when planning to add domains.
- Domain validation per SAN: Each domain listed must be validated by your CA. For DV (Domain Validation) certificates, this means you need access to email or DNS records for every domain.
- Revocation affects all SANs: If the certificate is revoked (e.g., private key compromised), all domains on the certificate are affected simultaneously. High-risk domains should have their own certificates.
- Renewal timing: Renew before the earliest expiry impact. Set a reminder well before the certificate expires — all covered domains go down at once.
FAQs
- How many domains can I put on one SAN certificate?
CAs typically allow up to 100 SANs on a single certificate. Let's Encrypt allows up to 100 SANs per certificate as well. Most practical use cases are well under this limit. - Can I mix different types of domains — like a root domain and a subdomain — on one SAN cert?
Yes. You can listexample.com,www.example.com,blog.example.com, and completely unrelated domains likemyotherdomain.netall on the same certificate. The only requirement is that you can validate ownership of each domain listed. - Does Let's Encrypt support multi-domain SAN certificates?
Yes. You can request up to 100 SANs with Certbot using the-dflag for each domain:certbot certonly -d example.com -d www.example.com -d example.net. Note that all domains must resolve to a server you can prove control of.
Generating Multi-Domain CSRs on Windows
Windows has two methods for generating a SAN CSR: the built-in certreq tool (no third-party software needed) or OpenSSL on Windows (same syntax as Linux).
Method 1: certreq with SAN INF File
Create a file called C:\ssl\san.inf:
Method 2: OpenSSL on Windows (Identical to Linux)
Multi-Domain Certificates in IIS
Once your CA issues the multi-domain certificate, import it as a PFX and bind it to each site in IIS. The SAN domains are embedded in the certificate — IIS presents the correct certificate for each domain listed in the SAN automatically.
Multi-Domain Certificates on macOS
On macOS, generate the SAN CSR using the same san.cnf and OpenSSL commands from the Linux section — the syntax is identical. macOS ships with LibreSSL (compatible), or install full OpenSSL via brew install openssl.
Generate a multi-domain CSR for your certificate
Create a CSR with multiple SANs for any CA. Our CSR Generator includes SAN field support.