February 17, 2021
TLS
certificates for hosts and domains must somehow identify what
hostname (or names) they re for. Historically there have been two
ways to do this. The first way was a
specific sub-field, the
CN or CommonName, of the certificate s
overall
Subject Name. This had the problem that it could only
have one name. When people started wanting to have TLS certificates
that covered more than one name, they invented another mechanism,
the
Subject Alternative Name (SAN) extension.
As a practical matter, all vaguely modern software that wants to
properly validate TLS certificates has supported (and often preferred)
Subject Alternative Names for some time. A great many TLS certificates