I generated a CSR via cPanel or WHM for a single domain, why does it contain a SAN?
Initially, SSL certificates only allowed the designation of a single hostname in the certificate subject called Common Name (CN). Now, SSL certificates are first verified for the SAN, and if no SAN is defined, it will fall back to the CN.
It is best practice to define both CN and SAN when requesting a certificate. The critical point is that CN and SAN are not complimentary, and any CN that's defined should be a subset of the SAN list.
In short, it is expected to see a SAN listed when you decode a CSR, even if the CSR is for one hostname.