Subject Alternative Name (SAN) configuration¶
In the context of SSL/TLS certificates, the Subject Alternative Name (SAN) is an extension that allows a single certificate to specify multiple domain names and IP addresses.^[600-developer__tools__security__CA.md]
This configuration is essential when securing environments where a service needs to be accessible via different hostnames (e.g., localhost, specific domain names, or wildcard domains) or when the Common Name (CN) field alone is insufficient for modern browser security requirements.^[600-developer__tools__security__CA.md]
Configuration Methods¶
The specific method for configuring the SAN depends on the tools used to generate the Certificate Signing Request (CSR) or the Self-Signed Certificate.
OpenSSL Configuration Files¶
When using OpenSSL to generate certificates for a specific domain, the SAN is typically defined in a configuration file (such as caconfig.cnf or exampleserver.cnf mentioned in standard setups).^[600-developer__tools__security__CA.md]
To configure the SAN, you must modify the relevant configuration file to point to the desired domain name:
- File:
caconfig.cnf - Directive: Modify the
subjectAltNameline. - Format:
subjectAltName = DNS:<你的域名>^[600-developer__tools__security__CA.md]
This ensures the resulting certificate explicitly lists the domain as valid, which is critical for local development or custom domain setups.
Hostname Resolution¶
While not a direct part of the certificate generation, modifying the system's hosts file is a related step often performed during SAN configuration for local testing.^[600-developer__tools__security__CA.md] This maps the domain name specified in the SAN to a local IP address (e.g., 127.0.0.1), allowing the browser to resolve the request to the local server that presents the certificate.
127.0.0.1 <你的域名>
Related Concepts¶
- [[Public Key Infrastructure]]
- OpenSSL
- [[Common Name]]
Sources¶
^[600-developer__tools__security__CA.md]