What is the difference between SAN and SNI SSL certificates?

ssl sni subject-alternative-names
29,096

Solution 1

SAN (Subject Alternative Name) is part of the X509 certificate spec, where the certificate has a field with a list of alternative names that are also valid for the subject (in addition to the single Common Name / CN). This field and wildcard names are essentially the two ways of using one certificate for multiple names.

SNI (Server Name Indication) is a TLS protocol extension that is sort of a TLS protocol equivalent of the HTTP Host-header. When a client sends this, it allows the server to pick the proper certificate to present to the client without having the limitation of using separate IP addresses on the server side (much like how the HTTP Host header is heavily used for plain HTTP).

Do note that SNI is not something that is reflected in the certificate and it actually achieves kind of the opposite of what the question asks for; it simplifies having many certificates, not using one certificate for many things.

On the other hand, it depends heavily on the situation which path is actually preferable. As an example, what the question asks for is almost assuredly not what you actually want if you need certificates for different entities.

Solution 2

SAN stands for Subject Alternative Name, and it's an x509 certificate property, and SNI is a feature that the SSL/TLS client can support, thus a totally different entity.

Using a certificate with SAN you can host multiple HTTPS-enabled sites on one IP address even if the client doesn't support the SNI. In this case you hold one certificate for all of your sites, and such certificate must contain all of the site names (ServerNames or ServerAliases in the Apache coordinates, or server_name in Nginx) as it's SANs. This is a subset of a legacy approach, the one that did extend the "one HTTPS-enabled site on each separate IP address". Currently, only large CDNs stick with SAN.

Using SNI you can also host multiple HTTPS-enabled sites on one IP, you hold a separate x509 certificate for each site and neither of these mentions other site names in their SAN property, but TLS clients (i.e. browsers and console clients such as wget or curl) must support SNI. This is a modern approach, since the last OS not supporting SNI out-of-the-box was Windows XP with IE 6.x, if I remember correctly. Nowadays you can see the SAN property if you purchase the wildcard certificate - for example such a certificate for *.example.com will contain a Common Name of *.example.com and a SAN of example.com.

Solution 3

This mixes two parts of the certificate process.

A SAN is a Subject Alternative Name. It is a way to create one certificate for multiple domains. You simply add the other domains you want a certificate for to the SAN field in the certificate. The browser will then accept the validity on these domains as well.

SNI is Server Name Indication and is part of SSL. It allows you to host multiple SSL sites on a single IP because the desired server name is sent with the SSL handshake and the server can choose the correct certificate for the answer.

Share:
29,096

Related videos on Youtube

AFA Med
Author by

AFA Med

To begin, I started learning/working on marketing related fields. Meanwhile, I spent more than 10 years exploring all the ins and outs of web development and online marketing. After accumulating solid experience, I decided to found the AFA Advisory consulting firm to share my passion. We provide consultancy in the following areas: Surveys, polls and marketing research Operational marketing, sales promotion and events Digital marketing Web development and mobile applications Visual communication and print

Updated on September 18, 2022

Comments

  • AFA Med
    AFA Med almost 2 years

    Could someone explain me the difference between these certificates in a simplified way? I read some articles but it sounds like they do the same job, namely encrypting many domains with one certificate.

  • Håkan Lindqvist
    Håkan Lindqvist over 7 years
    Technically, I don't believe that an SSL client can support SNI (to my knowledge it's a TLS extension that has never appeared in SSL).
  • kasperd
    kasperd over 7 years
    Both SAN and SNI require client support. However since SAN has been around for a lot longer, it is more widely supported.
  • Naveed Abbas
    Naveed Abbas over 7 years
    @coderanger If there is SAN field, the CN field is ignored by most clients. If there is no SAN field, the CN field works with most clients (and if they get mad at me it doesn't show).
  • womble
    womble over 6 years
    They're judging you silently.
  • Fernando Gabrieli
    Fernando Gabrieli almost 6 years
    is SNI something similar to virtual hosts where a server with say one IP address holds several hosts defined in the HTTP config? (some sort of multiplexing: using one IP for several certs instead of each cert with a different IP, where IPv4 are a scarce resource these days) ?
  • Håkan Lindqvist
    Håkan Lindqvist almost 6 years
    @FernandoGabrieli Yes, it enables the same kind of name-based setup on the TLS level.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Apache SNI: multiple SSL certificates on one IP address
HowTo setup Tomcat serving two SSL Certificates using SNI?
AWS ALB/NLB HTTPS Target with Self-Signed Cert
How to get HAProxy to route TCP based on SNI (using openssl s_client to test)?
Upgrading OpenSSL in CentOS 5.3
No need to enable SNI for multiple SSL sites on same IP but using same wild card certificate?
HAProxy with SNI and different SSL Settings
using nginx with SNI
SNI and wildcard SSL certificates on the same server with IIS
How to define which SSL certificate nginx sends first with SNI?