Make sure CA is not leaking domain name

parent issue #71

Ensure we make sure there's as little identifying information in the CA as possible (this is visible in the clienthello during vanilla OpenVPN handshake when tls-crypt is not used, although this is less of an issue if we adopt tls-crypt)