Generate Subject if `forceCN` and Subject is empty

When `forceCN` is set in provisioner configuration and
Subject.CommonName is empty, set Subject.CommonName to the first SAN
from the CSR to follow the letsencrypt's boulder behavior. This is done
in order to support system which require certificate's Subject field to
be non-empty.

N.B. certbot does not send Subject in its certificate request and relies
on similar behavior of letsencrypt.

Closes https://github.com/smallstep/certificates/issues/259

acme/order.go

@@ -262,6 +262,13 @@ func (o *order) finalize(db nosql.DB, csr *x509.CertificateRequest, auth SignAut
 	if csr.Subject.CommonName != "" {
 		csr.DNSNames = append(csr.DNSNames, csr.Subject.CommonName)
 	}
+
+	// Generate Subject CommonName for supporting `conservative` systems
+	// which does not accept certificates with empty subject
+	if csr.Subject.CommonName == "" && p.(*provisioner.ACME).ForceCN {
+		csr.Subject.CommonName = csr.DNSNames[0]
+	}
+
 	csr.DNSNames = uniqueLowerNames(csr.DNSNames)
 	orderNames := make([]string, len(o.Identifiers))
 	for i, n := range o.Identifiers {