I don't think i would need to be concerned about generating a csr because this is an existing ucc cert that is being renewed.  I think the san for vpn.company.com can be added at rekey time. Is this correct?

Really depends on the number of domains that was purchased for the UCC cert. Godaddy's kb states this:

"You cannot upgrade a UCC to include more names. If you bought the UCC with up to five domain names, you need to purchase a new certificate to add another domain name."

Ideally, you should be able to add upto the number of domains purchased with the rekey option.

looks like the only names on it would be for mail(mail/autodiscover). So i suppose i can use it then.  For subject name on the trustpoint, I would still reference the container name CN as below?

subject-name CN=vpn.company.com

or would that need to be different

Subject-name will translate to the issuer name of the company, this CN field is only looked at for verification if you do not have a subject alternative name (SAN) in your certificate. Ideally you should be using fqdn sub-command under the trustpoint in the trustpoint:

Router(config)#cry pki trustpoint test
Router(ca-trustpoint)#fqdn ?
  LINE  fully-qualified domain name
  none  do not include fully-qualified domain name

Router(ca-trustpoint)#fqdn vpn.company.com

As a best practice, I would set both to subject CN and fqdn to vpn.company.com.

Yes i normally use the fqdn in the trustpoint(as below):

crypto ca trustpoint cert1.trustpoint
enrollment terminal
subject-name CN=vpn.company.com
rsakeypair cert1.trustpoint 2048
fqdn vpn.company.com

Only reason i was asking was all i've used before has been single name certs.  So the subject-name would be the only name on the cert.  Just wanted to verify that when using a multi-name cert, this would not be any different.  After the trustpoint, i normally configure the intermediate and principal certs as below

1(for intermediate) crypto ca authenticate cert1.trustpoint
paste intermediate cert in

2(for principal) crypto ca import cert1.trustpoint certificate
paste principal cert in

Assuming this would not be any different either correct?

Ok got your question. So if you already have a UCC cert generated outside of the router, all you need is to have the cert and the private key combined into a pkcs12 (.p12) file and imported into a new trustpoint. The trustpoint itself need not have any config in place:

cry pki import test pkcs12

If you are generating the CSR from the router, just create a single fqdn as you do always and import the cert as you would do normally. The router should not check if truspoint SAN matches the issued cefrtificate SAN. Only the RSA keypair used to generate the CSR should match.

And yes, the import of the cert looks correct if assuming by principal cert you mean the identity cert issued to the router by the CA.

Yes it is a cert generated outside of router.  Ok so i would use command specified:

cry pki import cert1 pkcs12

Then it would prompt for a pkcs12 file to import.  It would import to the cert1 trustpoint.  And then create the certificate hash in format below.

crypto pki certificate chain cert1.trustpoint
certificate
< certificate hash values........... >

and that would be it?  That is a bit easier