I think the reason they couldn't do it is that they want a certificate for *.sub.example.com. Wildcards tend to trip up certificate provisioning in annoying ways.