@schoen maybe as an alternative is using SAN and allow a preset template of common subdomains to listed.
So end user could create a template of common subdomains
Then run the client against the template and generate a SAN SSL cert with those subdomains ?
Some folks like myself have common subdomain hosts which I create i.e. blog, news, support, forums, community, portal, downloads, email, mail, shop, cdn, cdn2, cdn3, image, image2, image3, static etc. For subdomains I have a preset ist of ~100 subdomains which are most used for myself
ssl crt, csr, and key size wise it would be much larger though. Probably, would help to have ECC 256 bit SSL support so that you can reduce the size by up to 66%