From be6da1f1c5506cc6effd57b74d983caa5d8b141e Mon Sep 17 00:00:00 2001
From: John Howard <john.howard@solo.io>
Date: Fri, 17 Jan 2025 15:52:36 -0800
Subject: [PATCH] Fix: mark SAN as critical when subject is empty

Fixes https://github.com/rustls/rcgen/issues/310
---
 rcgen/src/certificate.rs | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/rcgen/src/certificate.rs b/rcgen/src/certificate.rs
index 1619296a..1c6523aa 100644
--- a/rcgen/src/certificate.rs
+++ b/rcgen/src/certificate.rs
@@ -499,7 +499,10 @@ impl CertificateParams {
 			return;
 		}
 
-		write_x509_extension(writer, oid::SUBJECT_ALT_NAME, false, |writer| {
+		// Per https://tools.ietf.org/html/rfc5280#section-4.1.2.6, SAN must be marked
+		// as critical if subject is empty.
+		let critical = self.distinguished_name.entries.is_empty();
+		write_x509_extension(writer, oid::SUBJECT_ALT_NAME, critical, |writer| {
 			writer.write_sequence(|writer| {
 				for san in self.subject_alt_names.iter() {
 					writer.next().write_tagged_implicit(