Subscribe to the Non-Human & AI Identity Journal
Authentication, Authorisation & Trust

SAN Licensing

← Back to Glossary
By NHI Mgmt Group Updated July 10, 2026 Domain: Authentication, Authorisation & Trust

SAN licensing is a commercial model that allows multiple domain names or certificate uses under a single certificate framework. In fast-rotation environments, it matters because pricing and renewal structure can either support or hinder frequent, policy-driven certificate replacement.

Expanded Definition

SAN licensing, in a certificate context, is the commercial model that determines how many subject alternative names can be covered under one certificate and what renewal or issuance rights are included. In NHI operations, the term matters because one certificate may protect multiple services, hostnames, or endpoints, so the licensing model can either support agile rotation or create procurement friction. Definitions vary across vendors because some treat SAN capacity as a billing dimension, while others bundle it into a broader certificate framework. For practitioners, the practical question is not just how many names fit on a certificate, but whether the license model allows policy-driven replacement without delay. That distinction becomes important when certificates are tied to automated workloads, ephemeral environments, or rapid infrastructure change. For control expectations around certificate lifecycle and cryptographic protection, NIST SP 800-53 Rev 5 Security and Privacy Controls remains a useful external reference. The most common misapplication is treating SAN licensing as a one-time procurement detail, which occurs when teams ignore how renewal terms affect certificate rotation under automation.

Examples and Use Cases

Implementing SAN licensing rigorously often introduces procurement and renewal constraints, requiring organisations to weigh certificate flexibility against administrative overhead.

  • A platform team uses one certificate across multiple internal service endpoints and needs SAN licensing that permits frequent reissuance during blue-green deployments.
  • A CI/CD pipeline provisions certificates for short-lived test environments, and a restrictive SAN model slows rollout because each new domain or environment requires manual approval.
  • A multi-region application consolidates hostnames under a single certificate framework, reducing certificate sprawl but making license terms a dependency for release speed.
  • An identity engineering team reviews Ultimate Guide to NHIs guidance alongside NIST SP 800-53 Rev 5 Security and Privacy Controls to ensure certificate usage aligns with automated renewal and access governance.
  • A SaaS vendor offering tenant-specific subdomains negotiates SAN licensing to keep onboarding fast while preserving clear ownership of each certificate name.

Why It Matters in NHI Security

SAN licensing affects more than cost. It shapes how quickly an organisation can replace certificates when secrets policies change, infrastructure is restructured, or compromise response requires immediate rotation. In NHI environments, slow or inflexible certificate procurement can become a hidden blocker to zero standing privilege, especially where certificates serve as machine identity anchors for services, workloads, and APIs. NHIMG research shows that 71% of NHIs are not rotated within recommended time frames, increasing compromise risk over time, and that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. Those risks intensify when certificate licensing discourages frequent replacement. The operational lesson is that certificate economics and identity governance are inseparable: a poor licensing model can quietly undermine policy enforcement even when tooling is in place. For broader lifecycle context, the Ultimate Guide to NHIs and the NIST control set together show why certificate agility must be planned as part of identity governance, not as an afterthought. Organisations typically encounter SAN licensing pain only after an outage or compromise forces emergency certificate replacement, at which point the licensing model becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST Zero Trust (SP 800-207), NIST SP 800-63 and NIST AI RMF set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-02Covers NHI secret and certificate handling that SAN licensing can enable or impede.
NIST CSF 2.0PR.AC-1Identity and credential management includes certificate-based machine identities.
NIST Zero Trust (SP 800-207)Zero Trust relies on continuously managed machine trust, including certificates.
NIST SP 800-63AAL2Assurance concepts help frame trust strength for non-human certificate use cases.
NIST AI RMFAI systems using machine identities need governed credential and certificate lifecycles.

Ensure certificate licensing supports fast rotation and does not block compliant NHI lifecycle controls.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 10, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org