A certificate created that way would not be valid for the .org domain because the subjectAltName overrides the subject name. Is that intentional? Or are implementations expected to include the CN in an subjectAltName extension, if present?
For your first question, no, it's not related to "subjectAltNames". There are some use cases where the commonName attribute in an X.509 certificate has multiple entries. You're correct in that it's discouraged, but there are some common LDAP use cases that make use of this discouraged behavior.
For your second question, I don't think we thought too hard with the example, but we can certainly update it to make it more realistic and valid. We'll have to take a look at some of these rules. Is there an issue with having CommonName present at all? From some openssl examples I see, it's making use of both "CN" and "subjectAltName" in the request config file.
Got it, I'll fix up my implementation then. Will there be a property to reflect the subjectAltName?
Setting both the subject CN and the subjectAltName is perfectly fine and seems to be common practice, judging from a number of websites I checked. The CN won't be interpreted as a DNS name in that case, but most certificates just seem to use repeat one of the DNS names anyway.