rustls · cpu · Sep 11, 2023 · Sep 10, 2023 · Sep 10, 2023 · Sep 10, 2023
diff --git a/src/lib.rs b/src/lib.rs
@@ -911,7 +911,7 @@ impl CertificateParams {
 			// Write extensions
 			// According to the spec in RFC 2986, even if attributes are empty we need the empty attribute tag
 			writer.next().write_tagged(Tag::context(0), |writer| {
-				if !subject_alt_names.is_empty() {
+				if !subject_alt_names.is_empty() || !custom_extensions.is_empty() {
 					writer.write_sequence(|writer| {
 						let oid = ObjectIdentifier::from_slice(OID_PKCS_9_AT_EXTENSION_REQUEST);
 						writer.next().write_oid(&oid);

diff --git a/tests/generic.rs b/tests/generic.rs
@@ -111,6 +111,9 @@ mod test_x509_custom_ext {
 		// Generate a certificate with the custom extension, parse it with x509-parser.
 		let mut params = util::default_params();
 		params.custom_extensions = vec![custom_ext];
+		// Ensure the custom exts. being omitted into a CSR doesn't require SAN ext being present.
+		// See https://github.com/rustls/rcgen/issues/122
+		params.subject_alt_names = Vec::default();
 		let test_cert = Certificate::from_params(params).unwrap();
 		let test_cert_der = test_cert.serialize_der().unwrap();
 		let (_, x509_test_cert) = X509Certificate::from_der(&test_cert_der).unwrap();