With allowed SAN lists, you can limit the subject alternative names that subordinate issuing authorities can use when issuing end-user certificates.