126.96.36.199.2 of the CABF Baseline Requirements requires that common names always be an element from the SAN.
Here are 62 certs, from a variety of CAs which do not meet that requirement: https://misissued.com/batch/1/
These appear to be for a variety of reasons:
- just plain wrongness :-)
- leading/trailing spaces in either the CN or the SAN
- Using non-IDNA encoded values in the CN, but (correctly!) IDNA encoding the SAN
- My personal favorite, the presence of zero-width-space unicode characters in the CN
There's probably some other reasons, there's a lot to sort through.
I've notified several of the CAs already, but not all. (I notably haven't yet notified Symantec, who appear to have the plurality of these because of the IDNA issue).