it's standard behaviour for web browsers to not use hostnames in Subject at all but require SAN. current ssl(8) text suggests "some new" and "deprecated" rather than "stopped supporting".
comments/ok? Index: ssl.8 =================================================================== RCS file: /cvs/src/share/man/man8/ssl.8,v retrieving revision 1.67 diff -u -p -r1.67 ssl.8 --- ssl.8 25 Mar 2019 18:36:58 -0000 1.67 +++ ssl.8 10 May 2019 11:48:41 -0000 @@ -94,9 +94,9 @@ You can also sign the key yourself, usin -out /etc/ssl/server.crt .Ed .Pp -Note that some new browsers have deprecated using the common name of a -certificate and require that subject alt names are provided. -This may require the use of +Note that standard web browsers do not use the common name of a subject, +but instead require that subject alt names are provided. +This requires the use of .Ar -extfile Pa server.ext when self-signing. .Bd -literal -offset indent