When signing a certificate request, subjectAltName cannot be copied to certificate when using templates

[meyergru]

After I create a CSR and create subjectAltNames like DNS:xyz, IP:1.2.3.4, I can choose to "copy extensions from the request" when I try to sign it.

However, If I also want to apply a template, like for "key usage" or other parameters, I can only choose between applying extensions or subject or both (all). So, if I want to use anything useful from the template, the specific request parameters are overwritten.

I cannot have the best of both worlds - or at least I cannot make it work:

• define a type of certificate via a template plus
• overwrite specific parameters (especially subjectAltName) in the CSR

The only way to have both is to repeat every specific setting like subjectAltName during signing, which is problematic especially when certificates are short-lived and shall be re-issued later on.