Add a means to collect SANs from a certificate

[olix0r]

We (Linkerd) currently depend on the changes in briansmith/webpki#91 to read a client certificate's DNS SANs from a server-terminated TLS connection. This PR was superseded by @Geal's briansmith/webpki#103, but this also was never merged. I'd love to find a path forward for these changes.