feat(controller): support SAN certificates

This feature allows a user to specify a list of SubjectAltNames (SANs)
for a specified certificate. This has the effect of creating multiple
certificate entries in the database (one for each SAN), but it gives the
user the benefit to revoke the certficate for each custom domain.

By default, SANs are **not** added as new entries with `certs:add`. The
user will need to explicitly give each subject alt name they wish to add
as a certificate.

Usage:

```
$ deis certs:add ~/.openssl/star.fishworks.io.cert ~/.openssl/private.key.nopass --subject-alt-name foo.fishworks.io --subject-alt-name bar.fishworks.io
Adding SSL endpoint... done
*.fishworks.io
Adding SSL endpoint foo.fishworks.io...done
Adding SSL endpoint bar.fishworks.io...done
$ deis certs
Common Name       Expires
----------------  ----------------------
*.fishworks.io    2015-08-29T08:17:48UTC
foo.fishworks.io  2015-08-29T08:17:48UTC
bar.fishworks.io  2015-08-29T08:17:48UTC
```

In order for users to update their certificate, they will need to run
`deis certs:remove` for each entry, then re-run `deis certs:add`.

Docopt does not respect ellipsis when '[options]' is present, so I had
to explicitly write out the option in the usage in order for the flag to
work.

Additionally, a new --common-name flag has also been introduced. This is
a temporary workaround for users to add their wildcard certificates to
their custom domain endpoints. This acts the same way where a database
entry is created for each call to `certs:add`. If users want to update
their wildcard certificate, they'll have to update each entry they've
added. This is not the optimal solution, but it provides a way for us to
support wildcard certificates for custom domains.

Usage:

```
$ deis certs:add ~/.openssl/star.fishworks.io.cert ~/.openssl/private.key.nopass --common-name foo.fishworks.io
Adding SSL endpoint foo.fishworks.io...done
$ deis certs
Common Name       Expires
----------------  ----------------------
foo.fishworks.io  2015-08-29T08:17:48UTC
```

Author: Matthew Fisher

api/serializers.py

@@ -275,8 +275,9 @@ class Meta:
         """Metadata options for a DomainCertSerializer."""
         model = models.Certificate
         extra_kwargs = {'certificate': {'write_only': True},
-                        'key': {'write_only': True}}
-        read_only_fields = ['common_name', 'expires', 'created', 'updated']
+                        'key': {'write_only': True},
+                        'common_name': {'required': False}}
+        read_only_fields = ['expires', 'created', 'updated']
 
 
 class PushSerializer(ModelSerializer):

api/tests/test_certificate.py

@@ -80,6 +80,20 @@ def test_create_certificate_with_domain(self):
                                     HTTP_AUTHORIZATION='token {}'.format(self.token))
         self.assertEqual(response.status_code, 201)
 
+    def test_create_certificate_with_different_common_name(self):
+        """
+        In some cases such as with SAN certificates, the certificate can cover more
+        than a single domain. In that case, we want to be able to specify the common
+        name for the certificate/key.
+        """
+        body = {'certificate': self.autotest_example_com_cert,
+                'key': self.key,
+                'common_name': 'foo.example.com'}
+        response = self.client.post(self.url, json.dumps(body), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(self.token))
+        self.assertEqual(response.status_code, 201)
+        self.assertEqual(response.data['common_name'], 'foo.example.com')
+
     def test_get_certificate_screens_data(self):
         """
         When a user retrieves a certificate, only the common name and expiry date should be