In web.properties, we can set only one SAN DNSname in field 'httpsserver.an', because the EMPTY End Entity profile allow only one SAN DNSname.
It's useless, because when you set one SAN DNSname in certificate, web server and web browser only read this filed SAN and ignore the CN attribute value.
So when we want two FQDNs for a server certificate, we need to set two DNSname values in SAN extension.
It's can be useful for an EJBCA VM in DMZ zone which can be accessible from VLAN with a FQDN (e.g. pki.foo.lan), and from Internet with another FQDN (e.g. pki.foo.org). For example, for a PoC without front-end (not for production, of course).
Ref.: RFC 6125
- set 2 or 3 SAN DNSname in the EMPTY End Entity profile