I'm curious if it is possible to restrict which subject alternative names are allowed for certificate signing requests towards ADCS. I would like to prevent issuing wildcard certificates for example. I did have a look at ADCS certificate templates but I don't see any settings that would influence this behavior.
I understand that one way to prevent this is CA manager approval and reviewing requests but in an environment where no such approval happens it would be good to have support for "blocklists" or rules / policies that the CSR has to adhere to and if a request to sign a certificate for *.example.com
comes in and simply discards the request.