I have a RHEL7 IPA server installed as a subordinate CA. I'd like to be able to add SAN's for a different dns domain than exists in the IPA realm. The dns for 'otherdomain.com' is handled by active directory which my IPA server has a cross-forest trust with.

host: client1.ipadomain.com
certificate: CN = client1.ipadomain.com, SAN = client1.ipadomain.com, servicename.otherdomain.com

When I try to submit this CSR with 'ipa-getcert request' the IPA server denies with: "The service principal for subject alt name servicename.otherdomain.com in certificate request does not exist"

It seems that the default CAACL enforces a profile named 'caIPAserviceCert', but I'm having some trouble determining what can be modified (or cloned and changed in a new profile) that would allow  the CA to sign a CSR that contains *.ipadomain.com and *.otherdomain.com in the SAN.

This is the only section in the profile that contains SAN:
policyset.serverCertSet.12.constraint.name=No Constraint
policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name