Could someone explain me the difference between these certificates in a simplified way? I read some articles but it sounds like they do the same job, namely encrypting many domains with one certificate.
Could someone explain me the difference between these certificates in a simplified way? I read some articles but it sounds like they do the same job, namely encrypting many domains with one certificate.
SAN (Subject Alternative Name) is part of the X509 certificate spec, where the certificate has a field with a list of alternative names that are also valid for the subject (in addition to the single Common Name / CN). This field and wildcard names are essentially the two ways of using one certificate for multiple names.
SNI (Server Name Indication) is a TLS protocol extension that is sort of a TLS protocol equivalent of the HTTP Host-header. When a client sends this, it allows the server to pick the proper certificate to present to the client without having the limitation of using separate IP addresses on the server side (much like how the HTTP Host header is heavily used for plain HTTP).
Do note that SNI is not something that is reflected in the certificate and it actually achieves kind of the opposite of what the question asks for; it simplifies having many certificates, not using one certificate for many things.
On the other hand, it depends heavily on the situation which path is actually preferable. As an example, what the question asks for is almost assuredly not what you actually want if you need certificates for different entities.
SAN stands for Subject Alternative Name, and it's an x509 certificate property, and SNI is a feature that the SSL/TLS client can support, thus a totally different entity.
Using a certificate with SAN you can host multiple HTTPS-enabled sites on one IP address even if the client doesn't support the SNI. In this case you hold one certificate for all of your sites, and such certificate must contain all of the site names (
ServerName
s orServerAlias
es in the Apache coordinates, orserver_name
in Nginx) as it's SANs. This is a subset of a legacy approach, the one that did extend the "one HTTPS-enabled site on each separate IP address". Currently, only large CDNs stick with SAN.Using SNI you can also host multiple HTTPS-enabled sites on one IP, you hold a separate x509 certificate for each site and neither of these mentions other site names in their SAN property, but TLS clients (i.e. browsers and console clients such as
wget
orcurl
) must support SNI. This is a modern approach, since the last OS not supporting SNI out-of-the-box was Windows XP with IE 6.x, if I remember correctly. Nowadays you can see the SAN property if you purchase the wildcard certificate - for example such a certificate for*.example.com
will contain a Common Name of*.example.com
and a SAN ofexample.com
.This mixes two parts of the certificate process.
A SAN is a Subject Alternative Name. It is a way to create one certificate for multiple domains. You simply add the other domains you want a certificate for to the SAN field in the certificate. The browser will then accept the validity on these domains as well.
SNI is Server Name Indication and is part of SSL. It allows you to host multiple SSL sites on a single IP because the desired server name is sent with the SSL handshake and the server can choose the correct certificate for the answer.
Here a (possibly) more human readable answer:
SNI is conducted on the client side and tells TLS stack "I want to talk to a server whose name is [Server X]". Server sees this [Server X] string and replies with an appropriate certificate. One practical example is when a single server needs to serve traffic for multiple domains. It is also useful if client used an IP (to avoid DNS lookup delays) but certificate CN does not mention the IP.
SAN is a list of "Also Known As" in certificates. This way server may use a single certificate for many names. One can add many domains to the same certificate and even a list of IPs.
As you can see, things overlap. Choosing between one or both depends where one has control over. Some clients might not recognize names in SAN and the only way to address that is through providing appropriate certificate based on SNI. There are scenarios which server provides API for a single certificate or client does not send SNI. For these cases, SAN is the only way out.
My company makes use of both. They provide flexibility and make backward and forward compatibility easier.