If you want to use Subject Alternative Names on internal SSL certificates issued by Active Directory Certificate Services you have to configure CA (Certificate Authority) to accept SAN attribute from a certificate request.
By default CA does not issue certificates with SAN attribute.
Ability to connect without certificate issues (warning) to internal web server using a CNAME alias, FQDN or NetBios is one example where this becomes useful.
Run the following commands to configure CA:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 net stop certsvc net start certsvc
To add Subject Alternative Name to certificate add following to it’s attributes:
where dns_name is required Subject Alternative Name.
You can specify more names by separating them with an ampersand (&).
AD CS will accept the request and issue a certificate with Subject Alternative Names in it.
Remember to edit https bindings after installing certificate on your internal server (IIS)