If jurisdiction's certificate attributes section is updated to include CN in Subject Alt Names extension, the CN value will be included in SAN extension however as directoryName (Directory Address), and not as dNSName (DNS Name) which is what you would want. There are a few options to include SAN extension in certificates:
A) If only ONE dNSName needs to be included in SAN: Go to jurisdiction's Certificate Attributes section, add an attribute of type DC (you can change the Label from "Domain Component" to something user friendly such as "Hostname/IP for SAN"), uncheck the option "Include in Subject DN" and check the option "Include in Subject Alternative Names Extension". (Note that if you include more than one DC attribute, all DC attributes are merged into a single value. And hence, the limitation of this solution to only one dNSName.)
B) If more than ONE dNSName need to be included in SAN: Go to jurisdiction's Certificate Attributes section, add an attribute of any type (other than DC), change the Label to something user friendly such as "Hostname(s)/IP(s) for SAN", uncheck the option "Include in Subject DN". Also update the extension profile to include Subject Alternative Names extension. During the vetting process, the administrator can copy the hostname/IP values from the request and enter into the SAN extension dNSName fields.
C) If certificates are automatically issued (e.g., through OneStep, REST API etc), then a custom extension plugin can be developed and used together with option B above. RSA Professional Services may need to be engaged in this scenario to help develop the custom extension plugin.
