For Microsoft CA to construct the SubjectAltName in the issued certificate, you must enable the following flag.

​Config_CA_Accept_Request_Attributes_SAN

You can enable this flag in your remote certificate services implementation or the Microsoft CA server machine, as explained below.

See the [MS-CSRA] Microsoft document for more information on this flag. 

To enable ​Config_CA_Accept_Request_Attributes_SAN in the Microsoft CA machine

  1. Log into the Windows machine hosting the Microsoft CA server.
  2. Run the regedit command to open the Registry Editor.

  3. Select the following registry key (<CA_CN> is the Common Name of the Microsoft CA). 

    HKLM/SYSTEM/CurrentControlSet/Services/CertSvc/Configuration/<CA_CN>/PolicyModules/CertificateAuthority_MicrosoftDefault.Policy/EditFlags

  4. Calculate an OR of the current key value and 0x00040000.  For example, if the current value is 11014e, calculate: 

    0x00011014e OR 0x00040000 = 0x0001514e
  5. Set the OR result as the new key value.
  6. Run the certsrv command to display the CA service settings.
     
  7. In the navigation tree, right-click the CA name.
  8. Select All Tasks > Stop service to stop the Microsoft CA server.
  9. Select All Tasks > Start service to restart the  Microsoft CA server.