Some applications fail to parse the certificate if the CN is not set,
even if they (correctly) check SANs before the CN when validating a
hostname. Even though the CN should be ignored if a matching SAN
hostname was found, we can prevent the parse from failing by also
including the hostname as the CN.
Additionally, switch from maps to slices to prevent DNS names and IP
addresses from being reordered when added to the certificate template.
