Subject Alternative Name (SAN) is an extension to X.509 that lets you specify additional host names (values) to be protected by a single TLS certificate using a subjectAltName field. It allows more than one host to use the same copy of a single certificate. At the server-level, you can create multiple virtual hosts and add these hosts to the subjectAltName field of the certificate. You generate a certificate with SAN and the clients can connect to the server using subjectAltName. Whenever HTTPS request comes to any of the virtual host, the server uses the same certificate for TLS handshake.

A Wildcard certificate can protect all first-level sub-domains on a domain, such as *.example.com but it cannot protect both www.example.com and www.example.org. Hosting multiple TLS-enabled sites on a single server typically requires a unique IP address per site, a multi-domain (such as SAN) certificate with subject alternative names allows you to protect all these sub domains with a single certificate. However, you can use a Wildcard certificate as part of SAN.

Before you generate the digital certificate using the pkiutil utility, open the pscpki.cnf file in the %DLC%\keys\policy location and add the subjectAltName values as follows under the x509v3_extensions section: 
  subjectAltName = @alt_names
Add the domain names in the alt_names section as follows:
 [alt_names]
          DNS.1 = <value>
          DNS.2 = <value>
For example, let's assume that you want to generate certificate for a host www.default.com and two alternate hosts www.service1.com and www.service2.com. So, you have three virtual hosts www.default.com, www.service1.com, and www.service2.com and their loop back address are 127.0.0.1, 127.0.0.2, and 127.0.0.3 respectively. Do the following:
  1. Open the hosts.txt file from the C:\Windows\System32\drivers\etc location for Windows or the /etc/ location for Linux.
  2. Add the loop back addresses and the host names.
    Note: If there is a loop back address that is already assigned to host, use another loop back address, for example, if 127.0.0.1 is already assigned, assign 127.0.0.4 to the www.default.com host.
  3. Verify if the hosts were added, by pinging each host in the Command prompt. For example, type ping www.default.com, if you are able to ping each host successfully, the hosts are added.
  4. Create a backup copy of the %DLC%\keys\policy\pscpki.cnf file.
  5. Remove the read-only attribute of the file and then open the %DLC%\keys\policy\pscpki.cnf in a text editor.
  6. Add req_extensions to the [req] section. For example:
    [ req ]
default_bits        = 1024
default_keyfile         = privkey.pem
distinguished_name    = req_distinguished_name
attributes        = req_attributes
req_extensions         = v3_req
  7. Add [ v3_req ] and [alt_names] sections after all entries between [ req_attributes ] and [ x509v3_extensions ] and just before [ x509v3_extensions ] . For example:
    [ req_attributes ]
#challengePassword        = A challenge password
#challengePassword_min        = 4
#challengePassword_max        = 20

#unstructuredName        = An optional company name
certs = $ENV::DLC/certs
default_md = sha256
default_bits = 2048

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = www.default.com
DNS.2 = www.service1.com
DNS.3 = www.service2.com


[ x509v3_extensions ]

basicConstraints=critical,CA:FALSE,pathlen:0
#keyUsage=serverAuth
  8. Generate the public and private key pair using the pkiutil -keysize 2048 –newreq example command. It creates example.pk1 and example.pk10 files in the %DLC%/keys/requests location. example.pk1 serves as your private key and example.pk10 as the public key serves as a Certificate Signing Request (CSR) to a certificate authority (CA).
  9. Verify CSR using the sslc req -text -in %DLC%\keys\requests\example.pk10 –noout command.
  10. Create a CA signed certificate .cer file and convert to .pem file using pkiutil.

    For more information, see Obtain a certificate from a certificate authority.

  11. Verify the subjectAltName field in the .pem file by executing the following command in proenv:
    Proenv> sslc x509 -in %DLC%\keys\example.pem -text -noout
    .
    The X509v3 extensions section displays the subjectAltName as follows:
    X509v3 extensions:
    X509v3 Subject Alternative Name:
        DNS.1 = www.default.com
		DNS.2 = www.service1.com
        DNS.3 = www.service2.com