What version of Go are you using (go version)?

go version go1.9.1 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOEXE=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/rjk/go"
GORACE=""
GOROOT="/usr/local/go-1.9.1"
GOTOOLDIR="/usr/local/go-1.9.1/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build715387515=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"

What did you do?

RFC5280 4.2.1.6 requires: "If the subject field contains an empty sequence, then the issuing CA MUST include a subjectAltName extension that is marked as critical."

x509.CreateCertificate fails to mark subjectAltName as critical in this case.

https://play.golang.org/p/8BeKYea_77 exercises the bug.

What did you expect to see?

Certificate generated with empty Subject and SubjectAltName marked critical, test program ran to completion.

What did you see instead?

Certificate generated with empty Subject and SubjectAltName NOT marked critical, test program panics.