Stop checking CN by default for X.509 validation

[bob-beck]

As discussed with Viktor, it's past time to make this not the default.

As we now have separate setters to control setting the reference identifiers for DNSname and IP address, we can separate out CN, and the default becomes no CN unless you explicitly request one.