A multi-domain SSL certificate — also called a SAN certificate, UCC certificate, or Subject Alternative Name certificate — lets you secure multiple different hostnames under a single certificate. Unlike a wildcard certificate that covers unlimited subdomains of one domain at one level, a multi-domain cert covers a specific list of hostnames that can span entirely different root domains: example.com, another-site.com, and api.third.net all on one certificate.
When multi-domain makes sense
Use a multi-domain certificate when you need to secure a fixed, manageable list of hostnames — especially when they span different root domains, or when you need EV validation on specific subdomains. If you have many subdomains under one root domain and more may be added dynamically, a wildcard certificate is simpler and more flexible.
What is a multi-domain SSL certificate?
An SSL/TLS certificate contains a field called the Subject Alternative Name (SAN) extension, defined in RFC 5280. A standard single-domain certificate has one SAN entry — the hostname it covers. A multi-domain certificate has multiple SAN entries, each representing a different hostname the certificate is valid for.
The hostnames listed do not need to be related. A single multi-domain certificate can simultaneously cover:
| SAN Entry | Relationship |
|---|---|
| example.com | Root domain |
| www.example.com | Subdomain of example.com |
| shop.example.com | Subdomain of example.com |
| another-site.com | Completely different root domain |
| api.third-brand.net | Subdomain of a third root domain |
| mail.fourth.org | Subdomain of a fourth root domain |
All six entries above could exist on a single multi-domain certificate. One private key, one certificate file, one renewal cycle — covering hostnames across multiple separate projects or brands.
SAN vs UCC — are they the same thing?
Yes, essentially. The two terms describe the same certificate type from different angles:
SAN Certificate
Subject Alternative Name is the X.509 extension that holds the list of covered hostnames. "SAN certificate" refers to any certificate with multiple SANs — whether 2 or 250 — and is the most common technical term in the industry.
UCC Certificate
Unified Communications Certificate was a Microsoft term for SAN certificates designed specifically for Exchange Server and Office Communications Server. The term spread into general marketing but describes the same underlying SAN mechanism.
Whether a CA sells it as "Multi-Domain SSL," "SAN Certificate," or "UCC Certificate," the underlying technology is identical: an X.509 certificate with multiple Subject Alternative Name entries validated per the CA/Browser Forum Baseline Requirements.
What hostnames a multi-domain cert can cover
Multi-domain certificates can include any combination of:
Every SAN must pass domain control proof (DV), organization vetting (OV), or EV vetting depending on the certificate type. The CA/Browser Forum Baseline Requirements govern what hostnames can appear and how they are validated.
DV, OV, and EV multi-domain certificates
Unlike wildcard certificates, which are limited to DV or OV, multi-domain certificates are available at all three validation levels. Each SAN is validated to the level of the certificate type.
| Type | Validation per SAN | Issuance time | Typical use case |
|---|---|---|---|
| DV Multi-Domain | Domain control check per SAN (HTTP file, DNS TXT, or email) | Minutes | Dev environments, staging, SaaS subdomains, basic public sites |
| OV Multi-Domain | Organization existence + domain control per SAN | 1–3 business days | Corporate sites, ecommerce, SaaS platforms, multi-brand portfolios |
| EV Multi-Domain | Full EV vetting per SAN — no wildcards permitted | 3–5 business days per domain | Banking, regulated industries, high-value ecommerce requiring maximum identity trust |
For a deep dive on validation differences see OV vs EV SSL, or browse all SSL certificate types.
Multi-domain vs wildcard: how to choose
The right choice depends on your hostname topology:
Choose multi-domain (SAN) when:
- You need to cover hostnames across multiple different root domains
- You need EV validation (EV wildcards do not exist)
- You have a fixed, bounded list of specific hostnames
- Some entries are deeply nested (sub.sub.example.com)
- You are running Microsoft Exchange or Skype for Business (UCC use case)
Choose wildcard when:
- You have many subdomains under one root domain — including ones added dynamically
- You want unlimited subdomain coverage without reissuing
- DV or OV validation is sufficient
- All hostnames share the same root domain
Wildcard + SAN combination: You can include wildcard entries (e.g. *.example.com) alongside specific SANs (e.g. another-site.com) on a single DV or OV multi-domain certificate. This combination gives maximum coverage flexibility in one certificate — at a higher price point.
How SAN certificate pricing works
Multi-domain certificate pricing follows a base + per-SAN add-on model. The base price covers a minimum number of SANs (typically 2–5), and each additional SAN is purchased as an add-on. Pricing varies by CA and validation level:
| Level | Approx. base/yr | Additional SAN/yr | Notes |
|---|---|---|---|
| DV Multi-Domain | $50–$150 | $15–$30 each | Issues in minutes |
| OV Multi-Domain | $150–$400 | $20–$50 each | 1–3 day vetting |
| EV Multi-Domain | $400–$800 | $50–$150 each | Full EV per SAN |
Prices above are indicative ranges for 2026. For exact My-SSL pricing, see our SSL pricing page or browse all SSL certificate options. For a broader cost breakdown see SSL Certificate Pricing Guide 2026.
The 199-day validity impact on multi-domain certificates
Since March 2026, all publicly-trusted SSL/TLS certificates — including multi-domain — are capped at 199 days' validity under CA/Browser Forum Ballot SC-081v3. For multi-domain certificates this creates concentrated risk: when the certificate expires, every hostname on its SAN list becomes untrusted simultaneously.
Validity schedule (all public TLS certificates)
- • March 2026: max 199 days (in effect now)
- • March 2027: max 100 days
- • March 2029: max 47 days
Full breakdown: SSL Certificates Are Now Limited to 199 Days.
Adding SANs to a certificate does not extend validity — the expiry date is fixed at issuance. If you reissue mid-cycle to add a new SAN, the new certificate starts a fresh 199-day clock covering the updated SAN list.
For OV and EV multi-domain certificates, the renewal process involves re-validating each SAN. With vetting turnaround of 1–5 business days per domain and certificates expiring every ~6 months, start renewal at least 30–45 days before expiry for OV and 45–60 days for EV.
Managing a multi-domain certificate
Multi-domain certificates introduce a few operational considerations beyond single-domain certificates:
One CSR, one private key
Generate one CSR listing all SANs. The private key is shared across every covered hostname — which means it must be deployed to every server or load balancer handling any of those hostnames. If different SANs run on separate infrastructure, each node needs a copy of the same private key and certificate file.
Automation with ACME
ACME (RFC 8555) fully supports multi-domain issuance. For DV SANs, each domain is validated via HTTP-01 or DNS-01 challenge — the client handles this automatically when configured correctly. Certbot, acme.sh, and Caddy all support multi-domain issuance natively.
Certbot & ACME automation guideAdding or removing SANs requires reissuance
You cannot add or remove a SAN from an issued certificate without reissuing. Most CAs offer free reissuance — but the new certificate starts a fresh 199-day validity period regardless of remaining time on the old certificate. Group SAN additions together to minimize reissuances.
SNI deployment across multiple servers
If SANs on your certificate serve from different servers, deploy the same certificate and key to each server and configure Server Name Indication (SNI) so clients receive the correct certificate. SNI is universally supported by all modern browsers and operating systems.