Could find at least, how to re-issue the certificates: Erneuern der SSL-Zertifikate
My idea was to adjust the openssl.cnf containing the host name to add two more subjects as SANs, but:
root@ucs01:/etc/univention/ssl# grep DNS ucs01.domain.tld/openssl.cnf
subjectAltName = DNS:ucs01.domain.tld, DNS:ucs01, DNS:mdc01.domain.tld, DNS:mdc01
root@ucs01:/etc/univention/ssl# for i in *.$domainname; do univention-certificate renew -name $i -days 730; done
Renew certificate: ucs01.domain.tld
Using configuration from /etc/univention/ssl/openssl.cnf
Revoking Certificate 05.
Data Base Updated
Using configuration from /etc/univention/ssl/openssl.cnf
Using configuration from /etc/univention/ssl/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'DE'
stateOrProvinceName :PRINTABLE:'DE'
localityName :PRINTABLE:'DE'
organizationName :PRINTABLE:'domain.tld'
organizationalUnitName:PRINTABLE:'Univention Corporate Server'
commonName :PRINTABLE:'ucs01.domain.tld'
emailAddress :IA5STRING:'ssl@domain.tld'
Certificate is to be certified until Feb 4 00:03:39 2020 GMT (730 days)
root@ucs01:/etc/univention/ssl# openssl x509 -text -noout -in ucs01.domain.tld/cert.pem | grep DNS
DNS:ucs01.domain.tld, DNS:ucs01
univention-certificate renew do not respect this file and the other (more global one) ssl conf file do not contain the SAN part 
Does someone now, where this programm gets the SANs from?