BUG/MINOR: cert-info: enhance leaf certificate selection to include DNS names

jmdelafe · mjuraga · commit d63576b147a3 · 2025-08-19T08:57:39.000+02:00
Extending the logic to check if both CommonName or SubjectAlternativeNames are not empty. This fixes the cases where names are too long and have no CN but only SAN.
diff --git a/storage/cert-info.go b/storage/cert-info.go
@@ -160,7 +160,7 @@ func findLeafCertificate(certs []*x509.Certificate) (*x509.Certificate, error) {
 
 	// Find the starting certificate (a certificate whose issuer is not in the list)
 	for _, cert := range certs {
-		if !cert.IsCA && cert.Subject.CommonName != "" && !isIssuer[cert.Subject.String()] {
+		if !cert.IsCA && (cert.Subject.CommonName != "" || len(cert.DNSNames) != 0) && !isIssuer[cert.Subject.String()] {
 			return cert, nil
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -160,7 +160,7 @@ func findLeafCertificate(certs []x509.Certificate) (x509.Certificate, error) {`
`160`	`160`
`161`	`161`	`// Find the starting certificate (a certificate whose issuer is not in the list)`
`162`	`162`	`for _, cert := range certs {`
`163`		`- if !cert.IsCA && cert.Subject.CommonName != "" && !isIssuer[cert.Subject.String()] {`
	`163`	`+ if !cert.IsCA && (cert.Subject.CommonName != "" \|\| len(cert.DNSNames) != 0) && !isIssuer[cert.Subject.String()] {`
`164`	`164`	`return cert, nil`
`165`	`165`	`}`
`166`	`166`	`}`