Field Reference

Subject Alternative Name (SAN) Field Explained

The Subject Alternative Name (SAN) extension lists all domain names and IP addresses an SSL certificate is valid for. Learn how SANs work and why they replaced the CN field.

The Subject Alternative Name (SAN) is an X.509 extension that specifies all the domain names, IP addresses, email addresses, or URIs that a certificate is considered valid for. It is the authoritative field browsers use to determine whether a certificate matches the domain you're visiting.

Why SAN Replaced Common Name for Hostname Matching

Historically, browsers checked the certificate's Common Name (CN) field for hostname matching. In 2017, the CA/Browser Forum deprecated the use of CN for hostname verification (RFC 2818 had recommended SANs for years). Chrome stopped honoring CN-only certificates in 2017. Today, a certificate must have the domain in the SAN extension to be trusted by browsers — the CN field is ignored for hostname validation. See the full comparison: SAN vs. Common Name.

SAN Entry Types

The SAN extension supports several General Name types:

  • dNSName: A domain name (e.g., example.com, *.example.com)
  • iPAddress: An IP address in binary form (e.g., 192.168.1.1 or an IPv6 address)
  • rfc822Name: An email address (used in S/MIME certificates)
  • uniformResourceIdentifier: A URI

Reading SANs in the Decoder

When you decode a certificate, the SAN section lists every entry with its type prefix. DNS: prefixes domain names; IP Address: prefixes IP addresses. A modern Let's Encrypt certificate always includes both the bare domain and the www subdomain in the SANs (e.g., DNS: example.com and DNS: www.example.com).

Wildcard SANs

SANs support wildcard entries like *.example.com. A wildcard SAN matches any single subdomain label. *.example.com matches www.example.com but not sub.www.example.com. The wildcard only applies to the leftmost label.

SAN Count Limits

There is no hard limit in the X.509 standard on the number of SANs, but CAs impose their own limits. Let's Encrypt allows 100 names per certificate. Commercial CAs typically allow 100–250. Cloudflare CDN edge certificates can have thousands of SANs (one per customer domain). To cover multiple distinct domains, see multi-domain SSL certificates; to cover all subdomains, see wildcard SSL certificates.

Ready to inspect a certificate?

Use the free decoder to decode any PEM certificate and see all fields including subject alternative name (san) field explained.

Decode a Certificate