From 6e69377d1ae40bee146e9cc930f76d2262caf2ee Mon Sep 17 00:00:00 2001
From: Slawek Koszewski <slawek@koszewscy.waw.pl>
Date: Sun, 3 Aug 2025 09:38:31 +0200
Subject: [PATCH] Enhance SAN handling in issueSingleCertificate: extract CN
 from DN if present

---
 ca.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/ca.go b/ca.go
index 54ae09d..c21174e 100644
--- a/ca.go
+++ b/ca.go
@@ -478,7 +478,15 @@ func issueSingleCertificate(def CertificateDefinition) error {
 
 	// Add default dns SAN for server/server-only if none specified
 	if strings.Contains(def.Type, "server") && len(def.SAN) == 0 {
-		def.SAN = append(def.SAN, "dns:"+def.Subject)
+		// Extract CN if subject is a DN, else use subject as is
+		cn := def.Subject
+		if isDNFormat(def.Subject) {
+			dn := parseDistinguishedName(def.Subject)
+			if dn.CommonName != "" {
+				cn = dn.CommonName
+			}
+		}
+		def.SAN = append(def.SAN, "dns:"+cn)
 	}
 
 	priv, err := rsa.GenerateKey(rand.Reader, 4096)