`step ca certificate` should warn when passed-in subject names are ignored

[tashian]

When I get a certificate using an OIDC provisioner, the --san I provide is silently ignored. step should warn the user that the flag was ignored.

example output:

step ca certificate vpn --san strongswan.lan vpn.crt vpn.key --not-after 8784h
✔ Provisioner: authority-admin (OIDC) [client: de7774d8-a136-4e29-8450-026022a64ce4]
Your default web browser has been opened to visit:

https://auth.smallstep.com/oidc/auth?client_id=de77...

⚠️ Your subject name and --san flag were ignored. By default, OIDC provisioners issue certificates based on trusted OIDC token values only.
✔ CA: https://my.ca.smallstep.com
✔ Certificate: vpn.crt
✔ Private Key: vpn.key

[hslatman]

• Check if SANs are ignored in the request to the CA. If it is, it can be short-circuited in the CLI.

[maraino]

A CSR with the given SANs is created. A certificate template can be used to set the SANs from the CSR instead of the default ones for an OIDC provisioner, the email and the account URI. Example of the CSR request:

-----BEGIN CERTIFICATE REQUEST-----
MIH1MIGcAgEAMA4xDDAKBgNVBAMTA3ZwbjBZMBMGByqGSM49AgEGCCqGSM49AwEH
A0IABFtRPVaIF1eAqNRfJB1JRLjnzn/x1yjUP95Yn0P3SO+Ex7s3w5PSaoorSIUH
/h9e/LIZl971y1/PfC8Y7TcwsNqgLDAqBgkqhkiG9w0BCQ4xHTAbMBkGA1UdEQQS
MBCCDnN0cm9uZ3N3YW4ubGFuMAoGCCqGSM49BAMCA0gAMEUCIQDEN2e6NC24tpSa
ZJJgD8wZIbrVgrzN/nxrIRSIlqqEigIgNrP2wrIqkz5HtCy3UqgS0uMXRyuzw5MU
7XD43qiveK4=
-----END CERTIFICATE REQUEST-----