Which name should I use as Common Name for my Multi-Domain SSL certificate?

In General

The best answer depends on which server software you're using, but don't worry, because even if you don't choose the best Common Name at first, you can always reissue your certificate (for free) with a different Common Name.

Exchange 2007

It's probably best to use the name which will be used by mobile devices for their ActiveSync connections.

Here is why:

Many organizations need to support a variety of mobile devices which connect to the mail server for ActiveSync. There are many mobile devices out there, with various SSL capabilities.

The most common form of name matching is for the SSL client to compare the server name it connected to with the common name in the server's certificate. It's safe to assume this basic matching will be supported by all SSL clients.

If the SSL client supports SANs (Subject Alternative Names) and there is a SAN extension in the server's certificate, then the client will ignore the subject common name entirely and try to match the server name to one of the names in the SAN list. (This is why you will always see the subject common name repeated in the SAN list.)

OCS 2007

Use the FQDN server name. If you don't, you may receive a somewhat confusing error message in your event logs: "Remote principal name is not configured in trusted server list."

DigiCert lets you mix and match

DigiCert Multi-Domain SSL certificates are like a trip to an all you can eat buffet. First, they have an unlimited server license just like our WildCard certs, which means we don't charge 5x the price if you have 5 servers. To our knowledge, we're the only CA this generous with our licensing terms. We just charge you once: for the names. The extra server licenses are free. But it gets better: you can issue variations on your Multi-Domain SSL certificate for free, any time you like (meaning, you can use any one of the names you already payed for as the Common Name.)

To illustrate: You pay $395 for a Multi-Domain SSL certificate with names mail.contoso.com, www.contoso.com and communications.contoso.com and you set the common name to mail.contoso.com in your CSR. You install the cert on your mail server and your web server with no problems. Then you put the certificate on your OCS server named communications.contoso.com and it won't work because it wants the Common Name of its certificate to be communications.contoso.com. All you have to do is login to your DigiCert customer area, go to your order, and click on the "Get a Duplicate" action button. It pops up a window asking for a new CSR. You generate a CSR with communications.contoso.com as the Common Name and submit that CSR to us. Our system sends you a certificate with communications.contoso.com as Common Name, with www.contoso.com and mail.contoso.com as Subject Alternative Names. You put that certificate on the OCS box and it works fine. At the end of the whole exercise you've still only payed $395 to DigiCert. Of course you would have to pay more if you come back needing more than five names in your Multi-Domain SSL cert, but you get the idea--we only charge for the names and we give our customers lots of flexibility.