Tls /

Subject Alternative Names

acme-client(1) is unable to provide wildcard certificates. Instead, you can specify the common name and any alternative names in its configuration file. By using subject alternative names, it is possible for a single certificate to server multiple different hostnames.

Subject alternative names (SAN) are an extension to the X.509 specification used in SSL certificates. A single certificate can then use multiple names. This is important because TLS validation will fail if the name of the host doesn't match the name on the certificate.

Using alternative names, you can provide more names for the server beyond the common name. As an example, example.com could be the common name, and www.example.com and wiki.example.com could be alternative names on the same certificate.

Warning: While a handful of alternative names are fine, using too many alternative names can cause acme-client(1) to fail. We recommend keeping the number of alternative names to 5 or fewer.

It's recommended that all names for a single service be grouped together in a single certificate. For example, if the common name is mail.example.com, the alternative names webmail.example.com and email.example.com would make sense. However, www.example.com, since it's used by a different service (web instead of mail) might be better suited for a different certificate, since acme-client(1) can have issues with too many alternative names on a single certificate.