Skype for Business - Certificate Requirements / Reduce SAN entries

Hi all, (Very long post…)

I am looking into how I can reduce the number of SAN entries in Skype Front End Pool / Proxy and Edge certificate. The customer has numerous SIP Domains (21) and I want to reduce the number of SAN entries in the certificates.

Customer SIP Domains: (Changing the SIP Domains isNOT an option).
no.customername.com
se.customername.com
dk.customername.com
us.customername.com
fr.customername.com
etc.customername.com …..

This results in aFront-End / Web Service (Proxy) certificate with about66 SAN entries using the certificate wizard.
CN=FEPoolName
SAN=FE01
SAN=FE02
SAN=FE0x
SAN=dialin.no.customername.com
SAN=meet.no.customername.com (this is the common meet URL for all SIP Domains)
SAN=sip.<CountryCode>.customername.com…(one per SIP Domain x21)
SAN=LyncdiscoverInternal…. (one per SIP Domain x21)
SAN=Lyncdiscover…. (one per SIP Domains x21)
SAN=PoolName

This is A LOT of SAN entries and I want to reduce this as much as possible. Microsoft states in a TechNet articles that you can reduce the LyncDiscover entries by using CNAMES. However, Microsoft also states, “This approach is supported, but we do not recommend it.” without really explaining why. That will not do for the customer or me. I need to understand if this could negatively affect a full SfB deployment (all modalities internally and externally).

Next is theEdge External certificate:

CN=ExtEdgePoolName
SAN=sip.<CountryCode>.customername.com…(one per SIP Domain 21x)
SAN=<CountryCode>.customername.com…(one per SIP Domain 21x)
SAN=AccessEdgeFQDN
SAN=WebConferencingEdgeFQDN
SAN=ExtEdgePoolName

Why does the wizard add SAN entries for the <domain name> in addition to sip.<domain name>? It makes perfect sense that you add sip.<domain name> to the cert, but it does not make any sense to add the <domain name> as well. The documentation on Edge certificate requirements for SfB is none existent.

So to summarize:

How can I reduce the number of san entries in Front End Pool / Web Service and Edge Pool External certificates in Skype for Business?

Thanks in advance,

Christer