From b134ce007674fdd1e15372d9799e25c8ea7267c1 Mon Sep 17 00:00:00 2001
From: Jordan Liggitt <liggitt@google.com>
Date: Thu, 9 Oct 2025 16:27:05 -0400
Subject: [PATCH] Remove invalid SAN certificate construction

Kubernetes-commit: 9bd285d24dee6a874dd915b49e4d20179bb69092
---
 util/cert/cert.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/util/cert/cert.go b/util/cert/cert.go
index 91e171271..4805d09ab 100644
--- a/util/cert/cert.go
+++ b/util/cert/cert.go
@@ -75,13 +75,15 @@ func NewSelfSignedCACert(cfg Config, key crypto.Signer) (*x509.Certificate, erro
 			CommonName:   cfg.CommonName,
 			Organization: cfg.Organization,
 		},
-		DNSNames:              []string{cfg.CommonName},
 		NotBefore:             notBefore,
 		NotAfter:              now.Add(duration365d * 10).UTC(),
 		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
 		BasicConstraintsValid: true,
 		IsCA:                  true,
 	}
+	if len(cfg.CommonName) > 0 {
+		tmpl.DNSNames = []string{cfg.CommonName}
+	}
 
 	certDERBytes, err := x509.CreateCertificate(cryptorand.Reader, &tmpl, &tmpl, key.Public(), key)
 	if err != nil {