The original question has been answered, but I'd like to rebut a point made in one of the answers.

Use of the CN for a friendly name, while appealing and sensible to me, is not supported by the CA/B BRs. In prior version of the CA/B BRs, this was section 9.2.2, but it appears to have recently moved. https://cabforum.org/wp-content/uploads/CAB-Forum-BR-1.3.0.pdf

7.1.4.2.2. Subject Distinguished Name Fields

a. Certificate Field: subject:commonName (OID 2.5.4.3) Required/Optional: Deprecated (Discouraged, but not prohibited)

Contents: If present, this field MUST contain a single IP address or Fully‐Qualified Domain Name that is one of the values contained in the Certificate’s subjectAltName extension.

Respectfully, --obivon

the CN and the SAN fields compliment each other and so accordingly I set the CN to server.domain.local and in the SAN I have DNS:server.domain.tld

No (but that post is kind of old now).

Placing a DNS name is the Common Name (CN) is deprecated by both the IETF and CA/Browser Forums. You should place all DNS names in the Subject Alternate Name (SAN). Use the CN for a friendly name like "Example LLP" since its displayed to the user.

According to the CA/Browser Baseline Requirements (BR), a DNS name in the CN must also be present in the SAN. See CA/B BR, Section 9.2.

Chrome at least, I can browse to server.domain.tld (SAN entry) without error but I get a common name mismatch error at server.domain.local (CN)

Chrome is correctly rejecting the certificate if server.domain.local is present in the CN, but is not present in the SAN. Its a violation of the CA/B BR if its not present in both.

Should I have both server.domain.local and server.domain.tld in the SAN field

Yes, place both DNS names in the SAN. Don't put a DNS name in the CN. Use the CN for a friendly name.

For completeness, CA/B stands for CAs and Browsers. They have their own little closed club, and they have their own set of policies for issuing certificates. Don't expect browsers to do things as specified in the IETF docs.

And if you are validating X509 certificates used in the wild issued by a CA that is a member of CA/B, then you should validate using the CA/B BR, and not the IETF docs.

.. the CN and the SAN fields compliment each other ..

That is only true in the general PKI case, but specific protocols have different behavior. The relevant RFC for checking the certificate in HTTPS is RFC2818 (or later RFC6125) which states:

If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.

That means, if you have a SAN section it must contain all names, because the CN will not be checked.