SANs are the list of hostnames a certificate is valid for. Modern certificates put all covered names here; the legacy Common Name field alone is no longer sufficient.

CT is a system of public, append-only logs that record issued certificates, letting domain owners detect mis-issued or unexpected certificates for their names.

Automate renewal well before expiry — for 90-day certificates such as Let’s Encrypt, renew around 30 days out — so a failed renewal has time to retry before users see errors.