From 489f073d3adcfc099647c280a7f234f667a38bd3 Mon Sep 17 00:00:00 2001
From: James Munnelly <james.munnelly@jetstack.io>
Date: Fri, 13 Oct 2017 12:45:22 +0100
Subject: [PATCH] Require altName or subject name are specified in CA issuer

---
 pkg/issuer/ca/issue.go | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/pkg/issuer/ca/issue.go b/pkg/issuer/ca/issue.go
index 183fee11b..57db0310a 100644
--- a/pkg/issuer/ca/issue.go
+++ b/pkg/issuer/ca/issue.go
@@ -64,20 +64,23 @@ func (c *CA) Issue(ctx context.Context, crt *v1alpha1.Certificate) (v1alpha1.Cer
 }
 
 func (c *CA) obtainCertificate(crt *v1alpha1.Certificate, signeeKey interface{}) ([]byte, error) {
-	signerCert, err := kube.SecretTLSCert(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretName)
+	commonName := crt.Spec.CommonName
+	altNames := crt.Spec.AltNames
+	if len(commonName) == 0 || len(altNames) == 0 {
+		return nil, fmt.Errorf("no domains specified on certificate")
+	}
 
+	signerCert, err := kube.SecretTLSCert(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretName)
 	if err != nil {
 		return nil, fmt.Errorf("error getting issuer certificate: %s", err.Error())
 	}
 
 	signerKey, err := kube.SecretTLSKey(c.secretsLister, c.resourceNamespace, c.issuer.GetSpec().CA.SecretName)
-
 	if err != nil {
 		return nil, fmt.Errorf("error getting issuer private key: %s", err.Error())
 	}
 
 	crtPem, _, err := signCertificate(crt, signerCert, signeeKey, signerKey)
-
 	if err != nil {
 		return nil, err
 	}