Yes, the certificate needs SANs that match the TLS SNI the client requests. Caddy will not choose a certificate that does not have matching SANs. Using CN for TLS is deprecated since RFC 2818, published in May 2000 (CN is unsupported in Caddy).
1 Like