hashicorp · jefferai · Feb 9, 2018 · Feb 8, 2018 · Feb 8, 2018 · Feb 8, 2018
diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go
@@ -84,15 +84,17 @@ func TestPKI_RequireCN(t *testing.T) {
 		"max_ttl":            "2h",
 	})
 
-	// Issue a cert with require_cn set to true and with common name supplied
+	// Issue a cert with require_cn set to true and with common name supplied.
+	// It should succeed.
 	resp, err = client.Logical().Write("pki/issue/example", map[string]interface{}{
 		"common_name": "foobar.com",
 	})
 	if err != nil {
 		t.Fatal(err)
 	}
 
-	// Issue a cert with require_cn set to true and with out supplying the common name
+	// Issue a cert with require_cn set to true and with out supplying the
+	// common name. It should error out.
 	resp, err = client.Logical().Write("pki/issue/example", map[string]interface{}{})
 	if err == nil {
 		t.Fatalf("expected an error due to missing common_name")
@@ -107,7 +109,19 @@ func TestPKI_RequireCN(t *testing.T) {
 		"require_cn":         false,
 	})
 
-	// Issue a cert with require_cn set to true and with out supplying the common name
+	// Issue a cert with require_cn set to false and without supplying the
+	// common name. It should succeed.
+	resp, err = client.Logical().Write("pki/issue/example", map[string]interface{}{})
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if resp.Data["certificate"] == "" {
+		t.Fatalf("expected a cert to be generated")
+	}
+
+	// Issue a cert with require_cn set to false and with a common name. It
+	// should succeed.
 	resp, err = client.Logical().Write("pki/issue/example", map[string]interface{}{})
 	if err != nil {
 		t.Fatal(err)

diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go
@@ -258,6 +258,10 @@ func fetchCertBySerial(ctx context.Context, req *logical.Request, prefix, serial
 // If one does not pass, it is returned in the string argument.
 func validateNames(req *logical.Request, names []string, role *roleEntry) string {
 	for _, name := range names {
+		if name == "" {
+			// This might happen when common_name is empty
+			continue
+		}
 		sanitizedName := name
 		emailDomain := name
 		isEmail := false
@@ -621,9 +625,9 @@ func generateCreationBundle(b *backend,
 		if csr != nil && role.UseCSRCommonName {
 			cn = csr.Subject.CommonName
 		}
-		if cn == "" && role.RequireCN {
+		if cn == "" {
 			cn = data.Get("common_name").(string)
-			if cn == "" {
+			if cn == "" && role.RequireCN {
 				return nil, errutil.UserError{Err: `the common_name field is required, or must be provided in a CSR with "use_csr_common_name" set to true, unless "require_cn" is set to false`}
 			}
 		}
@@ -633,7 +637,7 @@ func generateCreationBundle(b *backend,
 			emailAddresses = csr.EmailAddresses
 		}
 
-		if !data.Get("exclude_cn_from_sans").(bool) {
+		if cn != "" && !data.Get("exclude_cn_from_sans").(bool) {
 			if strings.Contains(cn, "@") {
 				// Note: emails are not disallowed if the role's email protection
 				// flag is false, because they may well be included for