If you look to RFC 6125 (sec. 1.5) you can see that the subjectAlternativeName is the relevant part for the certificate validation in your browser. Thus you can specify more than use dnsname (or with certbot: multiple -d options) being valid for your certificate. Modern browsers (esp. Chrome) only use the subjectAlternativeName instead of the common name. So, you need a subjectAlternativeName even if your cert is for one domain only. The common name should be one of the subjectAlternativeNames. Certbot minds all this stuff and sets the first passed -d option as the common name and adds all domains being passed by the -d option to the subjectAlternativeName. Yes, I already saw that placing the wildcard name as the common name is recommended but I didn't encounter problems with this version. I choose this variant to obviate problems with "crazy" configuration files forcing you to escape the asterisk and so on. If you want to create a cert with the wildcard as the common name just swap the -d options.