> and Subject Alternative Names stuff is not needed.
Somebody already chimed in about name constraints, but I'm going to emphasise again that SANs are not an "alias" mechanism. SANs are how to use the Internet's names for things with the X.509 standard. The X.509 certificate is intended as part of the X.500 global directory system. Have you used the global directory system? No, because it was never built. And so X.509's names aren't appropriate for the Internet, which actually was built.
PKIX (RFC2459 and successors) documents how to use X.509 for the Internet, and it defines Subject Alternative Name for writing three popular names things have in the Internet, DNS names†, IP addresses‡ and email addresses.
Historically when Netscape invented SSL in the mid-1990s they abused the X.509 Common Name field to put a DNS name as text, having nowhere else to put it and billions of other more important problems to solve. But CN is arbitrary human readable text, not a great way to write DNS names. There have been way too many bugs as a result, and that's before IDNs existed. For a SAN dnsName there's deliberately exactly one correct way to write an IDN, but if you're abusing Common Name it's unclear what you should do.
So, after PKIX was standardised it was required to write SANs in all certificates. The old Common Name was grandfathered in, but all certificates in the Web PKI should use either SAN dnsName or ipAddress or both as appropriate.
Modern web browsers don't look anywhere else. Your Chrome or Firefox isn't trying to parse mysterious text elsewhere in the Subject to see if it might be an FQDN, it just reads the SANs and parses those, the rest is for humans only.
† Yes both kinds (PKIX uses A-labels here)
‡ Yes both kinds (IPv4 and IPv6)
Somebody already chimed in about name constraints, but I'm going to emphasise again that SANs are not an "alias" mechanism. SANs are how to use the Internet's names for things with the X.509 standard. The X.509 certificate is intended as part of the X.500 global directory system. Have you used the global directory system? No, because it was never built. And so X.509's names aren't appropriate for the Internet, which actually was built.
PKIX (RFC2459 and successors) documents how to use X.509 for the Internet, and it defines Subject Alternative Name for writing three popular names things have in the Internet, DNS names†, IP addresses‡ and email addresses.
Historically when Netscape invented SSL in the mid-1990s they abused the X.509 Common Name field to put a DNS name as text, having nowhere else to put it and billions of other more important problems to solve. But CN is arbitrary human readable text, not a great way to write DNS names. There have been way too many bugs as a result, and that's before IDNs existed. For a SAN dnsName there's deliberately exactly one correct way to write an IDN, but if you're abusing Common Name it's unclear what you should do.
So, after PKIX was standardised it was required to write SANs in all certificates. The old Common Name was grandfathered in, but all certificates in the Web PKI should use either SAN dnsName or ipAddress or both as appropriate.
Modern web browsers don't look anywhere else. Your Chrome or Firefox isn't trying to parse mysterious text elsewhere in the Subject to see if it might be an FQDN, it just reads the SANs and parses those, the rest is for humans only.
† Yes both kinds (PKIX uses A-labels here) ‡ Yes both kinds (IPv4 and IPv6)