If you want to use Subject Alternative Names on internal SSL certificates issued by Active Directory Certificate Services you have to configure CA (Certificate Authority)
to accept SAN attribute from a certificate request.
By default (for security reasones) the AD CS CA does not issue certificates with SAN attribute.
Ability to connect without certificate issues (warning) to internal web server using a CNAME alias, FQDN or NetBios is one example where this becomes useful.
Run the following commands to configure CA:
certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc
To add Subject Alternative Name to certificate add following to it’s attributes:
san:dns=dns_name
where dns_name is required Subject Alternative Name.
You can specify more names by separating them with an ampersand (&).
san:dns=dns_name1&dns=dns_name2
AD CS will accept the request and issue a certificate with Subject Alternative Names in it.
Remember to edit https bindings after installing certificate on your internal server (IIS).
Follow this reference guide from Technet: How to Request a Certificate With a Custom Subject Alternative Name: http://technet.microsoft.com/en-us/library/ff625722(WS.10).aspx#BKMK_Security
Another interesting web article with configuration sample: http://www.ldap389.info/en/2011/04/29/powershell-enterprise-ca-pki-create-san-certificate-iis-7-server-we/
