Let's Encrypt Usage
Self-signed Usage
OCSP Must-Staple: Servers using certificates with this flag must provide proof to the client that the certificate hasn't been revoked.
This extension is meant to ensure that attackers that gained access to the private key can't keep using the certificate after it's been revoked, as clients should report an error if they don't get the revocation status from the server.
This flag can be good because clients don't always go out of their way to check revocation status themselves. The downside of this flag is that it can cause your service to become inaccessible if the server has issues retrieving the revocation status.
SAN: Subject alternative name. This extension is used to list the names that are associated with the certificate. Most SAN entries are domain names, but IPs, email addresses, and other stuff can also appear here.
The visualisation shows the maximum number of entries a certificate has and the average number for the current selection. People go pretty wild with sometimes hundreds of domains in one certificate.