I am managing a Windows 2008 ADCS CA and have been aware of the security risks in issuing certificates with SANs. So I tested issuing a PKCS10 file with SANs in the request and it issued the certificate with the SANs when it's supposed to be blocked.
To be sure, I used the command certutil -setreg policy\EditFlags -EDITF_ATTRIBUTESUBJECTALTNAME2 (notice the minus) to remove the SAN flag if it was present and it wasn't. Image
This does however, block adding SANs from the additional request attributes when using something like this: san:dns=webmail.domainc.com&dns=mail.domainc.com&dns=autodiscover.domainc.com
So is there a way to completely block SANs from issued certificates regardless of where they are specified?