Could someone explain me the difference between these certificates in a simplified way? I read some articles but it sounds like they do the same job, namely encrypting many domains with one certificate.
SSL Certificates – Difference Between SAN and SNI
snisslsubject-alternative-names
Related Topic
- Ssl – EC2 Load balancer and wildcard/multi-domain SSL certificates
- Ssl – HAProxy with SNI and different SSL Settings
- Squid reverse proxy with multiple SSL-certificates via SNI
- Nginx – TLS/SSL – Does SNI Have a Limit on Number of Domains Running on Nginx
- Apache SNI Issues with SSL Certificates
- Ssl – Better understanding TLS/SSL Alternative Names
Best Answer
SAN (Subject Alternative Name) is part of the X509 certificate spec, where the certificate has a field with a list of alternative names that are also valid for the subject (in addition to the single Common Name / CN). This field and wildcard names are essentially the two ways of using one certificate for multiple names.
SNI (Server Name Indication) is a TLS protocol extension that is sort of a TLS protocol equivalent of the HTTP Host-header. When a client sends this, it allows the server to pick the proper certificate to present to the client without having the limitation of using separate IP addresses on the server side (much like how the HTTP Host header is heavily used for plain HTTP).
Do note that SNI is not something that is reflected in the certificate and it actually achieves kind of the opposite of what the question asks for; it simplifies having many certificates, not using one certificate for many things.
On the other hand, it depends heavily on the situation which path is actually preferable. As an example, what the question asks for is almost assuredly not what you actually want if you need certificates for different entities.