Using SAN in admin & node certificates DN?

Hi,
For the properties searchguard.nodes_dn & searchguard.authcz.admin_dn, it is mandatory to list the DNs of the certificate?

I have admin certificate generated as:

Owner: CN=abc.com
Issuer: CN=Example Com Inc. Signing CA, OU=Example Com Inc. Signing CA, O=Example Com Inc., DC=example, DC=com
Extensions:

#6: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: admin
]

Can we use the SAN entries of the certificate (DNSName: admin) to configure searchguard.authcz.admin_dn instead of the DN?
Reason - I have an existing certificate generation process used for multiple applications, and further customizations/additions can be done only to its SAN. When i tried configuring the SAN, I face the following issue:

Elasticsearch configuration:
searchguard.authcz.admin_dn: admin

Provide logs:
Elasticsearch-

{"type":"log","host":"es-san-elk-elasticsearch-master-0","level":"ERROR","systemid":"4636c00bfc3849e0be179bc71cef17f8","system":"elk","time": "2020-07-06T08:35:05.229Z","logger":"c.f.s.c.AdminDNs","timezone":"UTC","marker":"[es-san-elk-elasticsearch-master-0] ","log":"Unable to parse admin dn admin"}
javax.naming.InvalidNameException: Invalid name: admin
        at javax.naming.ldap.Rfc2253Parser.doParse(Rfc2253Parser.java:111) ~[?:?]
        at javax.naming.ldap.Rfc2253Parser.parseDn(Rfc2253Parser.java:70) ~[?:?]
        at javax.naming.ldap.LdapName.parse(LdapName.java:785) ~[?:?]
        at javax.naming.ldap.LdapName.<init>(LdapName.java:123) ~[?:?]
        at com.floragunn.searchguard.configuration.AdminDNs.<init>(AdminDNs.java:58) [search-guard-7-7.0.1-35.0.0-102.jar:7.0.1-35.0.0-102]
        at com.floragunn.searchguard.SearchGuardPlugin.createComponents(SearchGuardPlugin.java:741) [search-guard-7-7.0.1-35.0.0-102.jar:7.0.1-35.0.0-102]
        at org.elasticsearch.node.Node.lambda$new$9(Node.java:438) [elasticsearch-7.0.1.jar:7.0.1]
        at java.util.stream.ReferencePipeline$7$1.accept(ReferencePipeline.java:271) [?:?]
        at java.util.ArrayList$ArrayListSpliterator.forEachRemaining(ArrayList.java:1654) [?:?]
        at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:484) [?:?]
        at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:474) [?:?]
        at java.util.stream.ReduceOps$ReduceOp.evaluateSequential(ReduceOps.java:913) [?:?]
        at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) [?:?]
        at java.util.stream.ReferencePipeline.collect(ReferencePipeline.java:578) [?:?]
        at org.elasticsearch.node.Node.<init>(Node.java:441) [elasticsearch-7.0.1.jar:7.0.1]
        at org.elasticsearch.node.Node.<init>(Node.java:251) [elasticsearch-7.0.1.jar:7.0.1]
        at org.elasticsearch.bootstrap.Bootstrap$5.<init>(Bootstrap.java:211) [elasticsearch-7.0.1.jar:7.0.1]
        at org.elasticsearch.bootstrap.Bootstrap.setup(Bootstrap.java:211) [elasticsearch-7.0.1.jar:7.0.1]
        at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:325) [elasticsearch-7.0.1.jar:7.0.1]
        at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:159) [elasticsearch-7.0.1.jar:7.0.1]
        at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:150) [elasticsearch-7.0.1.jar:7.0.1]
        at org.elasticsearch.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:86) [elasticsearch-7.0.1.jar:7.0.1]
        at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:124) [elasticsearch-cli-7.0.1.jar:7.0.1]
        at org.elasticsearch.cli.Command.main(Command.java:90) [elasticsearch-cli-7.0.1.jar:7.0.1]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:115) [elasticsearch-7.0.1.jar:7.0.1]
        at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:92) [elasticsearch-7.0.1.jar:7.0.1]

OID SAN is used only to authorize the inter-node communication. You should configure the searchguard.authcz.admin_dn properly to authorize admin https://docs.search-guard.com/latest/configuring-tls#configuring-admin-certificates

If you are willing to compile Java code against the Search Guard source code, you can provide a custom principal extractor class to use a SAN entry as principal. See here for the interface:

You will need to package the extractor as JAR and put it into the plugins/search-guard-7/ directory of the ES installation.