What Is a Subject Alternative Name in TLS?
Learn what a subject alternative name is in a TLS certificate, why SANs matter for hostname validation, and how SAN data helps with discovery and troubleshooting.
Tools For This Topic
What a subject alternative name is
A subject alternative name, usually called a SAN, is an extension in a TLS certificate that lists the hostnames or other identities the certificate is valid for. In modern TLS validation, the SAN list is the key place clients look when deciding whether a certificate matches a hostname.
That means a single certificate can cover multiple DNS names such as example.com, www.example.com, and api.example.com.
Why SANs matter in practice
- They define which hostnames the certificate can legitimately secure
- They help browsers and clients validate hostname identity
- They make it possible to issue multi-domain certificates
- They provide useful discovery clues during audits and asset inventory work
How SAN data is used for troubleshooting
When a TLS warning says the certificate does not match the hostname, the first thing to inspect is the SAN list. If the requested hostname is not present, the problem may be a misissued certificate, the wrong endpoint, or traffic being routed to an unexpected service.
SAN inspection is also useful when trying to understand what other names a platform, CDN, or shared certificate may be serving.
What SAN data does not tell you
A SAN entry does not prove the hostname is currently live, controlled, or intentionally public. It only proves the name appeared in that certificate. Like CT data, SAN data should be treated as an investigative clue rather than as final proof of exposure.
It is also common for certificates to contain hostnames used for operational convenience rather than for actively exposed production services.
That is why SAN analysis works best when paired with DNS and service validation. The certificate can show you what names were intended, but additional checks are what tell you whether those names still matter today.
When SAN exploration is useful
- Investigating a certificate mismatch or TLS error
- Discovering related hostnames on a public endpoint
- Reviewing third-party or hosted-service exposure
- Supporting subdomain inventory and attack-surface analysis
- Confirming whether a service certificate covers the intended names
Because SANs are tied to live certificates, they are often one of the fastest ways to understand what identities a public endpoint is prepared to present, even before deeper application analysis begins.
Related tools and guides
Related Tools
Related Articles
How Certificate Transparency Helps Find Subdomains
Learn how certificate transparency logs help find subdomains, what the data misses, and how to interpret CT-based hostname discovery safely.
What are CAA records?
Learn what CAA records contain, how issue and issuewild tags work, and how CAA helps control which certificate authorities can issue for your domain.
How to Fix CAA Record Errors Before Certificate Renewal Fails
Learn how to fix CAA record errors, why certificate issuance gets blocked, and how to verify issue, issuewild, and parent-domain policy before renewal fails.