Planning and Deploying a Multi-Domain SSL Certificate
Zane LucasShare
A Multi-Domain SSL Certificate, also offered under the Unified Communications Certificate (UCC) name, secures several names on one SSL Certificate. Getting the most from it is mostly a matter of planning the names before you order and managing them sensibly afterward.
This guide walks through that practical side : scoping the names, mapping the primary name and the Subject Alternative Name (SAN) entries, validating each name, installing once, and adding names later. Learn About Multi-Domain SSL Certificates 🔗
Inventory the Names First
Start by listing every name that needs protection, including the root domain, the www host, and any subdomains and separate domains in use. A name left off the list will not be covered, so a thorough sweep at this stage avoids a gap later.
Group the names so you can see the pattern. A long list of subdomains under one domain may point toward a Wildcard SSL Certificate instead, while a spread of separate domains is exactly what a Multi-Domain SSL Certificate is for. Learn About Wildcard SSL Certificates 🔗
Map the Primary Name and the Subject Alternative Name (SAN) Entries
One name is the primary name and sits in the Common Name (CN) field. Every other name becomes an entry in the Subject Alternative Name (SAN) field, and the SSL Certificate is valid for all of them equally.
The choice of primary name is mostly administrative, so pick the main public domain for clarity. Learn About the Subject Alternative Name (SAN) Field 🔗
Generate One Certificate Signing Request (CSR)
A Multi-Domain SSL Certificate uses a single Certificate Signing Request (CSR) generated for the primary name. The additional names are supplied during the order rather than placed inside the Certificate Signing Request (CSR) itself.
Generate the Certificate Signing Request (CSR) on the server where the SSL Certificate will live, and keep the matching Private Key safe. Learn About Certificate Signing Requests (CSR) 🔗
Validate Every Name
Each name on the SSL Certificate must pass Domain Control Validation (DCV) before the Certificate Authority (CA) issues it. Domain Validation (DV) confirms control of each name, while Organization Validation (OV) and Extended Validation (EV) add checks of the business behind them.
Plan for this : you need a way to complete validation for every name, whether by file, Domain Name System (DNS) record, or e-mail. A single unvalidated name will hold up the whole SSL Certificate. Learn About SSL Certificate Validation 🔗
Install Once, Cover Everything
Once issued, the SSL Certificate is installed a single time on the server that answers for the names, and it then secures every listed name from that one installation. This is the core saving in day-to-day work compared with juggling separate SSL Certificates.
Where the names are served by different systems, the same SSL Certificate and its Private Key are installed on each, since all the names share one SSL Certificate. Learn About SSL Certificate Installation 🔗
Add Names and Keep Coverage Current
To cover a new name after issuance, order an additional Subject Alternative Name (SAN) for the existing SSL Certificate, and Trustico® adds it. The cost is pro-rated to the validity left on your license, so the new name shares the same expiry date.
Keep one record of every name and one reminder for the shared expiry date, since a single lapse would affect all of them at once. A reissue stays available without charge for a Private Key change or to claim validity from a multi-year license. Compare the Trustico® Multi-Domain Range 🔗
