Important update 1: Email Support is being transitioned to Webforms. Click here for more information.
Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            SAN (Subject Alternative Name) Certificates

            A Subject Alternative Name (SAN) certificate lets a single SSL/TLS certificate protect multiple, distinct hostnames. This article explains when to choose SAN over Wildcard, how to add SANs to an existing certificate, and the support process for billing additional SANs.

            What a SAN certificate covers

            A SAN certificate can secure unrelated hostnames under one certificate — for example, example.com, www.example.com, example.net, and shop.example.co.uk.

            Certificate type

            What it covers

            SAN

            Different hostnames and domains.

            Wildcard

            Many subdomains of one domain (for example, *.example.com), but not other domains like example.net.

            When to choose SAN

            Choose a SAN certificate to secure:

            • Multiple sites or domains (e.g., example.com, example.net, example.org)
            • Different hostnames that aren't all subdomains of one domain
            • A mix of root and subdomains (e.g., example.com, shop.example.com, example.net)

            Choose a Wildcard if you only need to secure subdomains of one domain (e.g., api.example.com, cdn.example.com, mail.example.com).

            Note: Not all SSL products include SAN support. Check our pricing page and sort by "SAN support." This guide does not apply to QuickSSL Premium with SAN, which has unique behaviour and terms.

            Before you begin

            • Server access: You need access to the server to generate a new CSR and private key.
            • Hostname list: Plan every hostname you want covered now and in the near term to avoid extra reissues.
            • IP addresses: IP addresses in the Common Name or SANs are not supported.

            Example SAN list

            Common Name (CN): example.com
Subject Alternative Names:
  DNS: example.com
  DNS: www.example.com
  DNS: example.net
  DNS: shop.example.co.uk

            Step 1: Generate a new CSR and private key

            1. Create a new CSR — a new CSR is required whenever you add or change SANs.
            2. Include every hostname (existing plus new) in the CSR.
            3. Keep the Common Name (CN) the same as on the original certificate.
            4. Follow your server's documentation for adding SANs — look for the SubjectAltName / SAN section in the CSR configuration.

            Tip: Many servers use an OpenSSL config with an [ alt_names ] section:

            [ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = example.com
DNS.2 = www.example.com
DNS.3 = example.net

            Step 2: Sign in to the supplier portal

            Use the certificate supplier's guest portal to reissue. For access instructions, see the trust product management guest portal article.

            Step 3: Reissue the certificate

            1. In the supplier portal, select Reissue Certificate.
            2. Choose Edit & Add Additional Domains (sometimes labelled Redeem).
            3. Paste the new CSR with the full SAN list.
            4. Complete any domain control validation (DCV) prompts the supplier requests.

            Step 4: Notify OpenSRS Support if SAN count increases

            If your total SAN count goes up, contact OpenSRS Support with:

            • Reseller username
            • Supplier order ID
            • Common Name (CN)

            Support completes the order and charges for the additional SANs at the price shown on the pricing page.

            Note: No Support contact is needed if your total SAN count is unchanged (for example, you replaced one SAN with another).

            Frequently asked questions

            • Do I have to reissue for any SAN change? Yes. Any add, remove, or swap requires a reissue with a new CSR that includes the full desired SAN set.
            • Will validation restart? It can. Some changes trigger DCV again for added hostnames. Be ready to approve validation emails, DNS, or file checks quickly.
            • How are costs handled? You pay per additional SAN at the price on the pricing page. If you swap a SAN with no change in total count, no extra fee applies.
            • Can I secure IP addresses? No. Certificates with a CN or SAN that is an IP address are not supported.

            Troubleshooting

            • "Name missing" after reissue: Confirm the CSR includes every SAN. The CSR contents become the certificate contents.
            • Validation stuck: Verify DCV is complete for every new hostname.
            • Portal won't accept the CSR: Confirm the CN matches the original certificate and that the CSR key length and algorithm meet current requirements (RSA 2048+).
            • Renewal coming up: Align SAN changes with renewal where possible to avoid multiple reissues.

            Next steps

            • Complete domain validation: Approve the DCV challenges the CA issues after reissue.
            • Install the reissued certificate: Deploy the updated certificate on your web server.
            • Plan the next renewal: Use this opportunity to finalize the SAN list before renewal.

            Questions? Contact OpenSRS Support.

            How helpful was this article?

            Thanks for your feedback!

            Do you still need help? If so please submit a request here.