If you want to use Subject Alternative Names on internal SSL certificates issued by Active Directory Certificate Services you have to configure CA (Certificate Authority) to accept SAN attribute from a certificate request.

By default CA does not issue certificates with SAN attribute.

Ability to connect without certificate issues (warning) to internal web server using a CNAME alias, FQDN or NetBios is one example where this becomes useful.

Run the following commands to configure CA:

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc

To add Subject Alternative Name to certificate add following to it’s attributes:

san:dns=dns_name

where dns_name is required Subject Alternative Name.

You can specify more names by separating them with an ampersand (&).

san:dns=dns_name1&dns=dns_name2

AD CS will accept the request and issue a certificate with Subject Alternative Names in it.

Remember to edit https bindings after installing certificate on your internal server (IIS)