i tried using an internal CA that was setup from scratch on Windows 2008 R2 the other day (and have ran in to this problem in the past)

the CA has the attribute for issuing SAN certs turned off so what you need to do is


go to an administrator command prompt on the CA

type – -> certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

then this will restart the services…

net stop certsvc
net start certsvc

this is crucial especially if you run OCS or Exchange and use internally signed certificates….