[Pki-users] SubjectAltName - how?

Hi all, I have Dogtag 10.3.3 installed from COPR @pki effort onto a CentOS 7.2 (build 1511) system. I can request and approve various different certs through the system successfully and have it working properly with SSL client certificates in Chrome. What I haven't been able to figure out is how to generate a server SSL Cert that has SubjectAltName entries in it. An example cnf file I have tried is [...] [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName = @alt_names [ alt_names ] DNS.1 = demo.myhome.com DNS.2 = demo DNS.3 = demo.prod.myhome.com [...] This generates a valid CSR with the SubjectAltNames in it. However when I send it through to be approved on Dogtag, the SAN gets removed. How do I setup a profile in Dogtag to allow this CSR with SAN get approved? Thanks ian