Multi-Domain SSL Certificates (SAN): Complete Guide 2024

November 15, 2025 By SSL Checker Pro Team 7 min read

Multi-domain SSL certificates, also known as SAN (Subject Alternative Name) certificates or UCC (Unified Communications Certificates), allow you to secure multiple domain names with a single certificate. This powerful solution reduces costs, simplifies management, and provides flexibility for organizations managing multiple websites or services.

What are Multi-Domain SSL Certificates?

A multi-domain SSL certificate uses the Subject Alternative Name (SAN) extension to include multiple domain names in a single certificate. Unlike wildcard certificates that only cover subdomains of a single domain, SAN certificates can secure completely different domain names, subdomains, and even IP addresses.

Example SAN Certificate Coverage

Single Certificate Can Secure:

  • example.com
  • www.example.com
  • shop.example.com
  • anotherdomain.com
  • www.anotherdomain.com
  • thirddomain.net
  • mail.company.org

All secured with one certificate, one renewal date, and one management process.

When to Use Multi-Domain SSL Certificates

Perfect Use Cases

Scenario Why SAN Works Example
Multiple Brand Websites Secure different brands under one certificate brand1.com, brand2.com, brand3.com
Regional Domains Different country domains for same business example.com, example.co.uk, example.de
Microsoft Exchange Secure multiple Exchange services mail.domain.com, autodiscover.domain.com
Load Balancer Setup Multiple domains behind single load balancer api.site1.com, api.site2.com, api.site3.com
Development Environments Secure dev, staging, and production dev.example.com, staging.example.com, example.com

SAN vs Wildcard vs Individual Certificates

Comparison Matrix

Feature Individual Certs Wildcard Multi-Domain (SAN)
Multiple Domains ❌ No ❌ No ✅ Yes
Subdomains ❌ One only ✅ Unlimited ✅ As SAN entries
Different TLDs ❌ Separate certs ❌ No ✅ Yes
Cost Efficiency ❌ High (multiple) ✅ Good ✅ Excellent
Management ❌ Complex ✅ Simple ✅ Simple
Flexibility ✅ High ⚠️ Limited ✅ High

Obtaining a Multi-Domain SSL Certificate

Free SAN Certificate with Let's Encrypt

Let's Encrypt supports multi-domain certificates with up to 100 SANs per certificate:

#!/bin/bash
# Request multi-domain certificate with Certbot
sudo certbot certonly \
  --webroot \
  --webroot-path=/var/www/html \
  -d example.com \
  -d www.example.com \
  -d shop.example.com \
  -d anotherdomain.com \
  -d www.anotherdomain.com \
  --email admin@example.com \
  --agree-tos \
  --non-interactive

# Certificate will be saved to:
# /etc/letsencrypt/live/example.com/fullchain.pem
# /etc/letsencrypt/live/example.com/privkey.pem

Using DNS Validation for Multiple Domains

#!/bin/bash
# Multi-domain with DNS validation
sudo certbot certonly \
  --dns-cloudflare \
  --dns-cloudflare-credentials ~/.secrets/cloudflare.ini \
  -d example.com \
  -d www.example.com \
  -d anotherdomain.com \
  -d www.anotherdomain.com \
  -d thirddomain.net \
  --non-interactive \
  --agree-tos \
  --email admin@example.com

# Automatic renewal setup
sudo certbot renew --dry-run

Commercial SAN Certificates

Commercial CAs offer SAN certificates with various domain limits:

Provider Base Domains Max Domains Price Range
DigiCert 5 domains 250 domains $295 - $1,500/year
Sectigo (Comodo) 3 domains 250 domains $119 - $899/year
GoDaddy 5 domains 100 domains $149 - $599/year
Let's Encrypt Unlimited 100 domains Free

Configuring Web Servers for SAN Certificates

Nginx Configuration

# /etc/nginx/sites-available/multi-domain.conf

# Redirect HTTP to HTTPS for all domains
server {
    listen 80;
    server_name example.com www.example.com anotherdomain.com www.anotherdomain.com;
    return 301 https://$host$request_uri;
}

# HTTPS configuration for example.com
server {
    listen 443 ssl http2;
    server_name example.com www.example.com;
    
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    
    root /var/www/example;
    index index.html;
    
    location / {
        try_files $uri $uri/ =404;
    }
}

# HTTPS configuration for anotherdomain.com
server {
    listen 443 ssl http2;
    server_name anotherdomain.com www.anotherdomain.com;
    
    # Same certificate works for all domains in SAN
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    
    root /var/www/anotherdomain;
    index index.html;
    
    location / {
        try_files $uri $uri/ =404;
    }
}

Apache Configuration

# /etc/apache2/sites-available/multi-domain-ssl.conf


    ServerName example.com
    ServerAlias www.example.com anotherdomain.com www.anotherdomain.com
    
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]



    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example
    
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite HIGH:!aNULL:!MD5
    
    
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    



    ServerName anotherdomain.com
    ServerAlias www.anotherdomain.com
    DocumentRoot /var/www/anotherdomain
    
    # Same certificate for all SAN domains
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    
    SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
    SSLCipherSuite HIGH:!aNULL:!MD5
    
    
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted

Managing SAN Certificates

Adding Domains to Existing Certificate

With Let's Encrypt, you can easily add domains to an existing certificate:

#!/bin/bash
# Add new domain to existing certificate
sudo certbot certonly \
  --webroot \
  --webroot-path=/var/www/html \
  -d example.com \
  -d www.example.com \
  -d shop.example.com \
  -d anotherdomain.com \
  -d www.anotherdomain.com \
  -d newdomain.com \
  -d www.newdomain.com \
  --expand \
  --email admin@example.com \
  --agree-tos \
  --non-interactive

# Reload web server
sudo systemctl reload nginx

⚠️ Important: Certificate Replacement

When adding or removing domains from a SAN certificate, you're creating a completely new certificate. The old certificate is replaced. Always include ALL domains you want to secure in the new certificate request.

Removing Domains from Certificate

#!/bin/bash
# Remove domain by requesting new cert without it
sudo certbot certonly \
  --webroot \
  --webroot-path=/var/www/html \
  -d example.com \
  -d www.example.com \
  -d shop.example.com \
  --force-renewal \
  --email admin@example.com \
  --agree-tos \
  --non-interactive

# Note: anotherdomain.com removed from list

Cost Analysis and ROI

Cost Savings Example

Scenario: Securing 10 different domains

Option 1: Individual Certificates

  • 10 certificates × $50/year = $500/year
  • 10 separate renewals to manage
  • 10 different expiration dates

Option 2: Multi-Domain Certificate

  • 1 certificate with 10 SANs = $150/year (Sectigo)
  • 1 renewal to manage
  • 1 expiration date
  • Savings: $350/year (70% reduction)

Option 3: Let's Encrypt Multi-Domain

  • 1 certificate with 10 SANs = FREE
  • Automated renewal
  • Savings: $500/year (100% reduction)

Best Practices for Multi-Domain Certificates

1. Plan Your Domain Structure

  • Group related domains together in single certificate
  • Consider organizational boundaries and ownership
  • Plan for future domain additions
  • Document which domains are in which certificates

2. Implement Proper Validation

  • Ensure you control all domains before requesting certificate
  • Use DNS validation for domains without web servers
  • Verify domain ownership for all SANs
  • Test validation process before production deployment

3. Monitor Certificate Expiration

  • Single certificate expiration affects all domains
  • Set up monitoring alerts 30, 14, and 7 days before expiration
  • Implement automated renewal where possible
  • Test renewal process regularly

4. Security Considerations

  • Private key compromise affects all domains in certificate
  • Store private keys securely with restricted access
  • Use separate certificates for high-security vs standard domains
  • Implement proper key rotation procedures

5. Documentation and Change Management

  • Maintain inventory of all domains in each certificate
  • Document certificate deployment locations
  • Track certificate changes and updates
  • Establish approval process for adding/removing domains

Troubleshooting Common Issues

Issue: Domain Not Covered by Certificate

Symptom: Browser shows certificate error for specific domain

Solution: Verify domain is listed in certificate SANs using:

# Check certificate SANs
openssl x509 -in certificate.pem -text -noout | grep "DNS:"

# Output should show all domains:
# DNS:example.com, DNS:www.example.com, DNS:anotherdomain.com

Issue: Certificate Renewal Fails

Symptom: Automated renewal fails for multi-domain certificate

Solution: Check validation for all domains:

# Test renewal with verbose output
sudo certbot renew --dry-run --verbose

# Check which domain validation is failing
# Ensure all domains are accessible and validation files can be served

Issue: Too Many Domains in Certificate

Symptom: Certificate size causes performance issues

Solution: Split into multiple certificates by logical grouping. Let's Encrypt allows up to 100 SANs, but practical limit is 20-30 for performance.

Advanced Use Cases

Load Balancer Configuration

Use SAN certificates with load balancers to secure multiple backend services:

# HAProxy SSL configuration with SAN certificate
frontend https_frontend
    bind *:443 ssl crt /etc/ssl/certs/multi-domain.pem
    
    # Route based on SNI
    acl is_example hdr(host) -i example.com www.example.com
    acl is_another hdr(host) -i anotherdomain.com www.anotherdomain.com
    
    use_backend example_backend if is_example
    use_backend another_backend if is_another

backend example_backend
    server web1 192.168.1.10:80 check

backend another_backend
    server web2 192.168.1.20:80 check

CDN Integration

Deploy SAN certificates to CDN for multiple domains:

  • Upload certificate to CDN provider
  • Configure each domain to use the certificate
  • Verify SNI support for proper domain routing
  • Test all domains through CDN

Conclusion

Multi-domain SSL certificates provide an efficient, cost-effective solution for securing multiple domains with a single certificate. They simplify certificate management, reduce costs, and provide flexibility for organizations managing diverse web properties. Whether using free Let's Encrypt certificates or commercial SAN certificates, proper planning, implementation, and management ensure secure, reliable SSL/TLS protection across all your domains.

The key to success with multi-domain certificates lies in careful planning of domain groupings, proper validation procedures, comprehensive monitoring, and clear documentation. By following the best practices outlined in this guide, you can effectively leverage SAN certificates to streamline your SSL infrastructure while maintaining strong security.

Verify Your Multi-Domain Certificate

Use our free tools to validate your SAN certificate: