Allow CSRs whose CN is longer than acceptable

[aarongable]

Today, if someone submits a CSR with a CN, we respect that CN and carry it over to the issued certificate. (If their CSR doesn't have a CN, we promote one of their SANs, unless none of the SANs fit.) But if their CSR's CN doesn't fit in a certificate's CN, then we refuse to issue.

Instead, we should just ignore that suggested CN and issue the cert without a CN, the same as if all the SANs had been too long.