Consider to include SAN as extension and not as attribute: http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?ID=20
When passing SANs as an attribute, it may lead to a security risk, because SAN attribute requires special flag on CA.
When enabling this flag, any requster can pass any SAN which will be automatically added to certificate without previous approval (and even if subject is constructed automatically). Therefore I would recommend to premoderate all certificate templates that accept subject from request. And, of course, include SAN in the extension section. If you are using INF file to generate request, the syntax of the INF file would contain:
When passing SANs as an attribute, it may lead to a security risk, because SAN attribute requires special flag on CA.
When enabling this flag, any requster can pass any SAN which will be automatically added to certificate without previous approval (and even if subject is constructed automatically). Therefore I would recommend to premoderate all certificate templates that accept subject from request. And, of course, include SAN in the extension section. If you are using INF file to generate request, the syntax of the INF file would contain:
[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=www01.fabrikam.com&"
_continue_ = "dns=www02.fabrikam.com&"