Table of Contents

Machine Identity Security: The Definitive Guide
- Machine Identity Security Explained
- Four Pillars of Machine Identity Architecture
- Machine Identity in the Attacker Workflow: Unit 42 Observations
- Cloud Security Implications and Identity Sprawl
- Implementing a Machine Identity Security Program
- Machine Identity Security FAQs
What Is Workload Identity? Securing Non-Human Identities
- Workload Identity Explained
- The Core Components of Workload Identity Architecture
- Workload Identity in the Zero Trust Framework
- Disrupting the Attack Lifecycle with Workload Identity
- Workload Identity and the AI Agent Security Challenge
- Workload Identity FAQs
What Is a Non-Human Identity (NHI)? Machine Identity Security Explained
- Non-Human Identity Explained
- The Critical Distinction: Standing vs. Non-Standing Privileges
- Lateral Movement and Attacker Workflow
- Non-Human Identity and Zero Trust Alignment
- CIEM, IAM, and PAM Relationships in NHI Security
- Strategic Management and Testing of NHIs
- Non-Human Identity FAQs
What Is a Multi-Domain SSL Certificate? SAN & UC Explained
- Multi-Domain SSL Certificates Explained
- How Multi-Domain SSL Works: The Power of SAN
- Core Types of Multi-Domain Certificates
- Strategic Benefits for Modern Enterprises
- Security Risks and Lateral Movement Considerations
- Implementation and Lifecycle Best Practices
- Multi-Domain SSL FAQs
What Is a Self-Signed Certificate? Risks, Uses & Best Practices
- Self-Signed Certificates Explained
- Use Cases & Real-World Examples
- How It Works
- Self-Signed Certificate Best Practices
- Risks & Challenges
- Unit 42 Intelligence: Attack Patterns
- Self-Signed Certificates FAQs
What Is a TLS/SSL Port? Port 443 and HTTPS Explained
- TLS/SSL Ports Explained
- Use Cases & Real-World Examples
- Secure vs. Unsecured Port Comparison
- TLS/SSL Port FAQs
What Is PKI? Public Key Infrastructure & Authentication Guide
- Key Data: Threats and Trends
- Why PKI Matters for Modern Organizations
- How PKI Works: The Asymmetric Model
- Key Components of a PKI Framework
- Common Risks and Implementation Challenges
- PKI Best Practices
- PKI in a Zero Trust Architecture
- Public Key Infrastructure (PKI) FAQs
What Is the TLS Handshake? Process, Steps, and Best Practices
- The Strategic Importance of the TLS Handshake
- How the TLS Handshake Works: Step-by-Step
- TLS 1.2 vs. TLS 1.3: Evolution of Speed and Security
- The Role of Cipher Suites and Digital Certificates
- Identifying and Resolving TLS Handshake Failures
- Advanced Security: TLS Fingerprinting and Threat Detection
- TLS Handshake Best Practices
- TLS Handshake FAQs
Security Standards and Compliance: SSL/TLS Best Practices
- SSL/TLS Security Standards and Compliance Explained
- Use Cases & Real-World Examples
- SSL/TLS Compliance Best Practices
- SSL/TLS Security Standards and Compliance FAQs
What is Code Signing? Benefits, Risks & Implementation
- Code Signing Explained
- Critical Benefits for Enterprise Security
- The Technical Mechanism: How Code Signing Works
- The Necessity of Trusted Timestamping
- Standard vs. EV Code Signing Certificates
- Addressing Vulnerabilities in the Signing Process
- Code Signing FAQs
What Is a TLS Decryption? Methods, Risks & Best Practices
- TLS Decryption Explained
- How TLS Decryption Works
- Methods of Decryption: Passive vs. Active
- The Role of TLS Decryption in Zero Trust
- Technical Challenges: TLS 1.3 and Performance
- Operational Best Practices and Privacy
- TLS Decryption FAQs
What Is a TLS Certificate? How TLS Secures Web Communication
- TLS Certificate Explained
- The TLS Handshake Process
- TLS vs SSL Certificates
- Critical Use Cases For TLS
- TLS Machine Identity Security Best Practices
- 5 Pillars Of Certificate Management
- The Role Of Certificate Authorities
- Unit 42 Threat Insights: Certificate Abuse
- TLS Certificate FAQs
What Is TLS Certificate Renewal? Process, Risks & Automation
- TLS Certificate Renewal: The Shift from Maintenance to Mission-Critical
- Why the 47-Day Mandate Redefines Renewal Strategy
- The Technical Lifecycle of a TLS Renewal
- Critical Risks: The High Cost of Renewal Failure
- Best Practices for Enterprise-Scale Renewal
- Overcoming Common Renewal Challenges
- TLS Certificate Renewal FAQs
What Is the TLS Certificate Lifecycle? Implementation Guide
- TLS Certificate Lifecycle Explained
- The 6 Core Stages of the TLS Certificate Lifecycle
- Why TLS Certificate Lifecycle Matters
- Key Causes of Certificate Failure
- Validation Checks: CRL and OCSP
- How Automation Improves TLS Certificate Lifecycle
- TLS Certificate Lifecycle and Zero Trust
- TLS Certificate Lifecycle FAQs
What Is Certificate Management?
- Certificate Management Explained
- Core Capabilities of Certificate Management
- Common Challenges: The “Red Flag” Checklist
- How Certificate Management Supports Zero Trust
- Implementation Roadmap: Best Practices
- Certificate Management vs. TLS Certificate Lifecycle
- Certificate Management FAQs
What Is Cert-Manager? Kubernetes Certificate Management Explained
- cert-manager Explained
- Core Components: Issuers and Certificates
- 1. Issuers and ClusterIssuers
- 2. Certificates
- How cert-manager Automates Machine Identity
- Common Compatible Cloud Platforms
- Zero Trust and Kubernetes Security Alignment
- Integrating cert-manager into DevSecOps Workflows
- Benefits for DevSecOps Teams
- cert-manager FAQs
TLS/SSL Offloading: Definition & Decision Checklist
- TLS/SSL Offloading Explained
- SSL Termination vs. SSL Bridging
- Key Differences in Workflow
- Unit 42 Perspective: Risks of Uninspected Traffic
- Benefits for Security and Infrastructure Teams
- CISO Decision Checklist: SSL Termination vs. SSL Bridging for Compliance
- Detailed CISO Decision Checklist
- Summary Recommendation for CISOs
- TLS/SSL Offloading FAQs
What Is an X.509 Certificate? Definition, Standards, and Role
- X.509 Certificates Explained
- The Anatomy Of An X.509 Certificate
- Important X.509 v3 Extensions
- The X.509 Trust Hierarchy And Chain
- Machine Identity And Management Challenges
- Risks Of Poor Certificate Management
- Zero Trust And X.509 Alignment
- How Does X.509 Support Zero Trust?
- X.509 Certificate FAQs
What Is Certificate Validation? Guide to Best Practices
- Certificate Validation Explained
- The Role of Certificate Authorities and the Chain of Trust
- The Hierarchy of Trust
- The Sequence of the Validation Process
- Types of Certificate Validation Levels
- Unit 42 Insights: The Risk of Identity Exposure
- Threat Behavior Observations
- Troubleshooting Common Validation Failures
- Certificate Validation FAQs
What Is Certificate Pinning? Benefits, Risks & Best Practices
- Certificate Pinning Explained
- How Certificate Pinning Works
- Listiche: Key Stages of a Pinning Failure
- Types of Certificate Pinning
- Listiche: Static vs. Dynamic Pinning
- Why Pinning Is Essential for Zero Trust
- Certificate Pinning vs. Standard SSL/TLS
- Benefits of Certificate Pinning
- Risks and Limitations of Certificate Pinning
- When to Use Certificate Pinning
- When to Avoid Certificate Pinning
- Certificate Pinning Best Practices
- Certificate Pinning and Machine Identity Security
- FAQs
What is Cloud Workload Security? Protection & Best Practices
- Cloud Workload Security Explained
- Why Cloud Workload Security Matters
- Key Components of a Cloud Workload Security Strategy
- Use Cases & Real-World Examples
- Cloud Workload Security Best Practices
- Benefits of Strong Cloud Workload Security
- Cloud Workload Security FAQs
What Is ACME Protocol?
- ACME Protocol Explained
- How The ACME Protocol Works
- ACME Across The Machine Identity Lifecycle
- ACME Challenges
- Why ACME Matters For Machine Identity Security
- Implementation Patterns
- Real World Evidence
- Where ACME Secrets Leak In Real Life
- ACME Protocol FAQs
What is SPIFFE? Universal Workload Identity Framework Guide
- SPIFFE Explained: Solving the Workload Identity Problem
- Core Components of the SPIFFE Standard
- The SPIFFE Workload API
- Why Traditional Secret Management Fails in Cloud-Native Environments
- The Problem of "Secret Zero"
- Vulnerabilities of Static Credentials and Long-Lived Tokens
- IP-Based Security vs. Identity-Based Security
- How SPIFFE Implementation Works: The Attestation Process
- The Role of SPIRE as the Reference Implementation
- Critical Use Cases for Enterprise Security
- SPIFFE FAQs
What Is an SSL Stripping Attack?
- Why SSL Stripping Belongs in Identity Security
- SSL Stripping Explained
- How SSL Stripping Works
- Where SSL Stripping Happens
- Signs of SSL Stripping
- Identity-Focused Impact
- Machine Identity Security Impact
- How to Prevent SSL Stripping
- SSL Stripping Prevention Checklist
- SSL Stripping FAQs
What Is a Machine Identity?
- How Do Machine Identities Work?
- Machine Identity Management (MIM) vs. Human IAM
- Architecture Components and Identity Types
- Secrets Management vs. Machine Identity Management
- Lateral Movement and Attacker Workflow
- Cloud Security Implications and CIEM
- Implementation Steps for Machine Identity Security
- Machine Identity FAQs

What Is a Multi-Domain SSL Certificate?

3 min. read

Table of Contents

A Multi-Domain SSL Certificate is a specialized digital certificate that allows organizations to secure multiple distinct domain names and subdomains under a single certificate. By utilizing the subject alternative name (SAN) extension, a single certificate can protect diverse environments, such as example.com, shop.example.net, and internal-portal.local, drastically reducing administrative complexity and overhead.

Key Points

Efficient Consolidation: Protects up to 100-250 unique domains with one certificate, depending on the CA.
Flexible Architecture: Supports different Top-Level Domains (TLDs) like .com, .org, and .net simultaneously.
Streamlined Management: Simplifies the renewal process by consolidating multiple expiration dates into one.
Zero Trust Foundation: Enhances identity security by ensuring all web properties meet high encryption standards.
Cost Reduction: Lowers the total cost of ownership compared to purchasing individual certificates for each domain.

Multi-Domain SSL Certificates Explained

In a traditional setup, every unique domain requires its own SSL/TLS certificate. For a global enterprise managing hundreds of microservices, regional sites, and staging environments, this creates a "certificate sprawl" that is nearly impossible to track manually. A Multi-Domain SSL certificate, often referred to as a SAN certificate or unified communications certificate (UCC), solves this by acting as a single security umbrella.

Unlike a wildcard SSL, which only secures subdomains of a single base domain (e.g., *.example.com), a multi-domain certificate can secure completely unrelated domains. This makes it the preferred choice for organizations with diverse brand portfolios or complex cloud security requirements where assets are spread across different domains.

Side-by-side comparison table titled “Multi-Domain vs. Wildcard Comparison.” The left column shows a multi-domain certificate with orange certificate icons covering two separate domains: company.com and global-sales.net. The right column shows a wildcard certificate with orange certificate icons covering subdomains under the same base domain, represented by blog.company.com and mail.company.com. The diagram highlights that a multi-domain certificate secures different domain names, while a wildcard certificate secures multiple subdomains of one domain.

Figure 1: Multi-Domain vs. Wildcard Certificate Comparison

How Multi-Domain SSL Works: The Power of SAN

The technical backbone of this certificate is the subject alternative name (SAN) field within the X.509 certificate standard. When a browser connects to a site, it checks the SAN field to see if the specific domain it is visiting is listed and authorized by the certificate.

The SAN Configuration Process

CSR Generation: The administrator generates a certificate signing request (CSR) for the primary domain.
Listing SANs: During the application, the administrator lists all additional domains (SANs) to be included.
Validation: The certificate authority (CA) validates ownership for every domain listed in the SAN field.
Deployment: Once issued, the single certificate is installed on the server hosting those domains.

Feature	Multi-Domain (SAN)	Wildcard SSL
Domain Coverage	Multiple unique domains (https://www.google.com/search?q=site-a.com, site-b.net)	Multiple subdomains (*https://www.google.com/search?q=.site-a.com)
Flexibility	High (Mix and match domains)	Low (Locked to one base domain)
IP Requirements	Can secure multiple sites on one IP	Can secure multiple sites on one IP
Validation Level	Domain (DV), Organization (OV), or EV	DV and OV only (EV wildcards are not permitted by CA/Browser Forum rules)

Core Types of Multi-Domain Certificates

Organizations must align their certificate type with their specific zero trust requirements and the sensitivity of the data they protect.

Standard Multi-Domain (DV): Quickest to issue; provides basic encryption and domain validation. Ideal for internal test environments.
Organization Validated (OV): Requires business identity verification. This adds a layer of trust by showing the organization's name in the certificate details.
Extended Validation (EV): The highest tier of identity vetting. Browsers no longer display EV distinctly from OV, so the practical benefit is documented identity verification rather than user-visible trust signals.
Multi-Domain Wildcard: A hybrid solution that allows you to secure multiple domains AND all their respective subdomains.

Strategic Benefits for Modern Enterprises

Consolidating your network security through multi-domain certificates provides more than just cost savings; it enhances operational resilience.

1. Operational Efficiency

Managing 50 individual certificates means 50 different expiration dates. Multi-domain certificates synchronize these into a single renewal cycle, significantly reducing the risk of an accidental expiration that could lead to a site outage.

2. Simplified Server Configuration

Server Name Indication (SNI) and multi-domain certificates are two approaches to hosting multiple sites on one IP. SNI presents different certificates per hostname. Multi-domain certificates use one certificate for many hostnames. Organizations often use both, with SNI to separate unrelated tenants and multi-domain certs to consolidate related sites.

3. Unified Security Standards

Using a single certificate ensures that every site, from the main corporate portal to the smallest regional blog, uses the same high-strength encryption algorithms and key lengths, maintaining a consistent security posture across the entire cloud security footprint.

Security Risks and Lateral Movement Considerations

While Multi-Domain certificates simplify management, they introduce specific risks that Unit 42 researchers frequently highlight in threat behavior analysis.

Credential Theft & Shared Risk: If the private key associated with a Multi-Domain certificate is compromised, every single domain listed on that certificate is now vulnerable. This "all-eggs-in-one-basket" scenario can facilitate lateral movement, as an attacker gaining access to one site’s traffic may find it easier to spoof or intercept traffic for another domain on the same certificate.
Identity Exposure: Because all SANs are publicly visible in the certificate, an attacker can use a Multi-Domain certificate to map an organization’s entire infrastructure, discovering "hidden" staging or development domains that might be less secure.
Blast Radius: A certificate revocation due to a security breach affects all associated domains simultaneously, potentially causing a widespread service interruption.

Implementation and Lifecycle Best Practices

To maximize the benefits of Multi-Domain SSL while mitigating risks, organizations should follow these industry-standard practices:

Apply Least Privilege: Do not group highly sensitive production domains with low-security development domains on the same certificate. Use separate certificates to limit the impact of a compromise.
Automate Renewals: Use certificate lifecycle management (CLM) tooling or ACME-based automation to monitor certificate health and handle renewal before expiration.
Strict Private Key Storage: Store private keys in Hardware Security Modules (HSMs) or secure key vaults to prevent unauthorized access.
Use Modern Protocols: Ensure your certificates support TLS 1.3 to leverage the latest performance and security enhancements.
Regular Audits: Periodically review the SAN list to remove domains that are no longer in use, reducing your public-facing attack surface.

Multi-Domain SSL FAQs

Yes, but it requires "re-issuing" the certificate. You add the new SANs, and the CA must validate the new domains before providing an updated certificate file for you to install.

Yes. "Multi-Domain" is the marketing term, while "SAN certificate" refers to the technical extension (Subject Alternative Name) that makes the multi-domain capability possible.

Most Certificate Authorities allow between 100 and 250 domains per certificate, though the initial price usually covers the first 3 to 5 domains.

Yes, SAN certificates are compatible with all modern mobile browsers and operating systems, as they follow the standard X.509 certificate format.

Choose a Wildcard if you have an infinite or rapidly changing number of subdomains under one specific domain. Choose Multi-Domain if you need to secure different domain names.