SAN vs SNI - Alternate Domain Visibility

Hi there,

I have a server with multiple domains on the same IP. It looks like SAN is the easiest way to achieve this but with a SAN certificate is it possible to see all the alternate domain names?

For instance if my website has an admin subdomain…

And I use a SAN certificate to cover both, does that make the admin subdomain easy to find? (I know its easy to guess but in reality I could use something less obvious)

From this point of view would it be preferable to keep the certs separate and use SNI? Does Certbot support SNI?



All the names for which a certificate is valid are clearly listed on the certificate. However, if your goal is to keep your subdomain names secret, then SNI won’t help you either, because all Let’s Encrypt certificates are logged to public Certificate Transparency logs which can be seen at, and other places.

I guess wildcards might change that when they become available, but keeping your subdomain name secret is not a great security strategy anyway as there are many ways such names can leak. Better to secure your servers so that they are safe even when their names are known.

(and to answer your last question - yes, Certbot supports SNI, in that it can be used to obtain certificates that can be used with a web server that supports SNI, and can install them in apache or nginx so as to be served via SNI. It used to also use SNI to validate control of the domain before issuing a certificate, but this was disabled recently due to a security issue and is now possible only in some special circumstances)

Regarding which approach is “better” - I’d generally recommend keeping subdomains of the same domain on the same certificate, and different domains on different certificates, to minimize the risk of hitting the rate limits.

Thanks for the reply. That’s very helpful and clear.

Great news Certbot supports SNI. I did try to google it but I couldn’t find any info on that. So, if apache is set up to support SNI, and you run Certbot to install a cert does it automatically install it in the correct way to use SNI? Meaning you can simply run Certbot as normal for each certificate you need.

Yes, to use SNI you just need to run certbot multiple times, once for each domain. To use SAN you run it once and specify all domain names.

The reason for this is that SNI is such a standard feature in Apache that you don’t need to do anything to enable it. (In fact, I don’t even know how to disable it in Apache, although in principle that should be possible somehow.) Therefore, there are no SNI-specific options in Certbot because it will simply automatically use your existing Apache (or other web server) support for SNI.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.