From 8b082f9fde2dd00c652a6fa3aa670118e9b0ae82 Mon Sep 17 00:00:00 2001
From: Seth Schoen <schoen@eff.org>
Date: Fri, 10 Aug 2012 16:26:25 -0700
Subject: [PATCH] evidently, current best practice is to include ALL DNS names,
 including the primary name, as SANs

---
 server-ca/CSR.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/server-ca/CSR.py b/server-ca/CSR.py
index f2055b7a0..66fe402cf 100644
--- a/server-ca/CSR.py
+++ b/server-ca/CSR.py
@@ -241,10 +241,9 @@ subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer
 nsComment = "Chocolatey"
 """)
-        if subjects[1:]:
-            san_line = "subjectAltName="
-            san_line += ",".join("DNS:%s" % n for n in subjects[1:]) + "\n"
-            ext_tmp.write(san_line)
+        san_line = "subjectAltName="
+        san_line += ",".join("DNS:%s" % n for n in subjects) + "\n"
+        ext_tmp.write(san_line)
         ext_tmp.flush()
         ret = subprocess.Popen(["./CA.sh", "-complete", dn, ext_tmp.name, csr_tmp.name, cert_tmp.name],shell=False,stdin=subprocess.PIPE,stdout=subprocess.PIPE,stderr=subprocess.PIPE).wait()
         if ret == 0: