Always add a certificate's CN as a SAN

edwardneal · edwardneal · commit 3cc7cb0146ea · 2025-05-30T23:50:28.000+01:00
diff --git a/src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.TestUtilities/Fixtures/CertificateFixtureBase.cs b/src/Microsoft.Data.SqlClient/tests/tools/Microsoft.Data.SqlClient.TestUtilities/Fixtures/CertificateFixtureBase.cs
@@ -38,7 +38,7 @@ protected static X509Certificate2 CreateCertificate(string subjectName, IEnumera
             // * Start date: 24hrs ago
             // * End date: 24hrs in the future
             // * Subject: {subjectName}
-            // * Subject alternative names: {dnsNames}, {ipAddresses}
+            // * Subject alternative names: {subjectName}, {dnsNames}, {ipAddresses}
             // * Public key: 2048-bit RSA
             // * Hash algorithm: SHA256
             // * Key usage: digital signature, key encipherment
@@ -55,18 +55,17 @@ protected static X509Certificate2 CreateCertificate(string subjectName, IEnumera
             X500DistinguishedNameBuilder subjectBuilder = new X500DistinguishedNameBuilder();
             SubjectAlternativeNameBuilder sanBuilder = new SubjectAlternativeNameBuilder();
             RSA rsaKey = RSA.Create(2048);
-            bool hasSans = false;
 
             subjectBuilder.AddCommonName(subjectName);
+
+            sanBuilder.AddDnsName(subjectName);
             foreach (string dnsName in dnsNames)
             {
                 sanBuilder.AddDnsName(dnsName);
-                hasSans = true;
             }
             foreach (string ipAddress in ipAddresses)
             {
                 sanBuilder.AddIpAddress(System.Net.IPAddress.Parse(ipAddress));
-                hasSans = true;
             }
 
             CertificateRequest request = new CertificateRequest(subjectBuilder.Build(), rsaKey, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
@@ -75,10 +74,7 @@ protected static X509Certificate2 CreateCertificate(string subjectName, IEnumera
             request.CertificateExtensions.Add(new X509KeyUsageExtension(X509KeyUsageFlags.DigitalSignature | X509KeyUsageFlags.KeyEncipherment, false));
             request.CertificateExtensions.Add(new X509EnhancedKeyUsageExtension(new OidCollection() { new Oid("1.3.6.1.5.5.7.3.1"), new Oid("1.3.6.1.5.5.7.3.2") }, true));
 
-            if (hasSans)
-            {
-                request.CertificateExtensions.Add(sanBuilder.Build());
-            }
+            request.CertificateExtensions.Add(sanBuilder.Build());
 
             // Generate an ephemeral certificate, then export it and return it as a new certificate with the correct key storage flags set.
             // This is to ensure that it's imported into the certificate stores with its private key.
