diff --git a/base/common/src/main/java/org/dogtagpki/nss/NSSExtensionGenerator.java b/base/common/src/main/java/org/dogtagpki/nss/NSSExtensionGenerator.java
index 9faeacc480c..c1fae5894df 100644
--- a/base/common/src/main/java/org/dogtagpki/nss/NSSExtensionGenerator.java
+++ b/base/common/src/main/java/org/dogtagpki/nss/NSSExtensionGenerator.java
@@ -476,7 +476,12 @@ public SubjectAlternativeNameExtension createSANExtension(PKCS10 pkcs10) throws
                 continue;
             }
 
-            if (option.equals("DNS:request_subject_cn") && pkcs10 != null) {
+            if (option.equals("DNS:request_subject_cn")) {
+
+                if (pkcs10 == null) {
+                    continue;
+                }
+
                 X500Name subjectName = pkcs10.getSubjectName();
                 logger.info("Getting CN from subject name: " + subjectName);
 
@@ -490,7 +495,12 @@ public SubjectAlternativeNameExtension createSANExtension(PKCS10 pkcs10) throws
                 continue;
             }
 
-            if (option.equals("DNS:request_san_ext") && pkcs10 != null) {
+            if (option.equals("DNS:request_san_ext")) {
+
+                if (pkcs10 == null) {
+                    continue;
+                }
+
                 logger.info("Getting SAN extension from CSR");
                 SubjectAlternativeNameExtension sanExtension = CertUtil.getSANExtension(pkcs10);
 
@@ -517,6 +527,10 @@ public SubjectAlternativeNameExtension createSANExtension(PKCS10 pkcs10) throws
             }
         }
 
+        if (dnsNames.isEmpty()) {
+            return null;
+        }
+
         // convert DNS names to general names
         GeneralNames generalNames = new GeneralNames();
         for (String name : dnsNames) {