Subject Alternative Name (SAN) is an extension to X.509 that lets you specify additional host names (values) to be protected by a single TLS certificate using a subjectAltName field. It allows more than one host to use the same copy of a single certificate. At the server-level, you can create multiple virtual hosts and add these hosts to the subjectAltName field of the certificate. You generate a certificate with SAN and the clients can connect to the server using subjectAltName. Whenever HTTPS request comes to any of the virtual host, the server uses the same certificate for TLS handshake.

A Wildcard certificate can protect all first-level sub-domains on a domain, such as *.example.com but it cannot protect both www.example.com and www.example.org. Hosting multiple TLS-enabled sites on a single server typically requires a unique IP address per site, a multi-domain (such as SAN) certificate with subject alternative names allows you to protect all these sub domains with a single certificate. However, you can use a Wildcard certificate as part of SAN.

Before you generate the digital certificate using the pkiutil utility, open the pscpki.cnf file in the %DLC%\keys\policy location and add the subjectAltName values as follows under the x509v3_extensions section: 
  subjectAltName = @alt_names
Add the domain names in the alt_names section as follows:
 [alt_names]
          DNS.1 = <value>
          DNS.2 = <value>
For example, let's assume that you want to generate certificate for a host www.default.com and two alternate hosts www.service1.com and www.service2.com. So, you have three virtual hosts www.default.com, www.service1.com, and www.service2.com and their loop back address are 127.0.0.1, 127.0.0.2, and 127.0.0.3 respectively. Do the following:
  1. Open the hosts.txt file from the C:\Windows\System32\drivers\etc location for Windows or the /etc/ location for Linux.
  2. Add the loop back addresses and the host names.
    Note: If there is a loop back address that is already assigned to host, use another loop back address, for example, if 127.0.0.1 is already assigned, assign 127.0.0.4 to the www.default.com host.
  3. Verify if the hosts were added, by pinging each host in the Command prompt. For example, type ping www.default.com, if you are able to ping each host successfully, the hosts are added.
  4. Create a copy of the pscpki.cnf file at the %DLC%\keys\policy and name it myssl.cnf.
  5. Edit the myssl.cnf to add the following under the x509v3_extensions section:
    subjectAltName = @alt_names
                              [alt_names]
                              DNS.1 = www.service1.com
                              DNS.2 = www.servuce2.com
  6. Generate the public and private key pair using the pkiutil -keysize 2048 –newreq example command. It creates example.pk1 and example.pk10 files in the %DLC%/keys/requests location. example.pk1 serves as your private key and example.pk10 as the public key serves as a Certificate Signing Request (CSR) to a certificate authority (CA).
  7. Verify CSR using the sslc req -text -in %DLC%\keys\requests\example.pk10 –noout command.
  8. Create a self-signed certificate .cer file and convert to .pem file using pkiutil.
  9. Open the .pem file and verify the subjectAltName field by executing the Proenv> sslc x509 -in %DLC%\keys\example.pem -text -noout command. The X509v3 extensions section displays the subjectAltName as follows:
    X509v3 extensions:
    X509v3 Subject Alternative Name:
        DNS.1 = www.service1.com
        DNS.2 = www.service2.com