DigiCert claims that you can add/remove alternative names on already purchased certificates right from their account (you don't even need to include them in the CSR just the primary), but I haven't tried it personally. I wonder about what authentication you, as owner of www.foo.com, have to undergo to add e.g. myapp.client.com to the alternate name.
The downside seems that the organization/country/city fields must be the same but that doesn't show unless you use EV The upside is no painful IP acquisition, CSR and renewal process.
The downside seems that the organization/country/city fields must be the same but that doesn't show unless you use EV The upside is no painful IP acquisition, CSR and renewal process.