diff --git a/acme/acme/crypto_util.py b/acme/acme/crypto_util.py
index 0931ac14b..a986721f0 100644
--- a/acme/acme/crypto_util.py
+++ b/acme/acme/crypto_util.py
@@ -188,7 +188,6 @@ def make_csr(private_key_pem, domains, must_staple=False):
 
 def _pyopenssl_cert_or_req_all_names(loaded_cert_or_req):
     common_name = loaded_cert_or_req.get_subject().CN
-    # pylint: disable=protected-access
     sans = _pyopenssl_cert_or_req_san(loaded_cert_or_req)
 
     if common_name is None:
diff --git a/acme/acme/crypto_util_test.py b/acme/acme/crypto_util_test.py
index 1d7f83ccf..14aaac8b5 100644
--- a/acme/acme/crypto_util_test.py
+++ b/acme/acme/crypto_util_test.py
@@ -65,6 +65,30 @@ class SSLSocketAndProbeSNITest(unittest.TestCase):
     #    self.assertRaises(errors.Error, self._probe, b'bar')
 
 
+class PyOpenSSLCertOrReqAllNamesTest(unittest.TestCase):
+    """Test for acme.crypto_util._pyopenssl_cert_or_req_all_names."""
+
+    @classmethod
+    def _call(cls, loader, name):
+        # pylint: disable=protected-access
+        from acme.crypto_util import _pyopenssl_cert_or_req_all_names
+        return _pyopenssl_cert_or_req_all_names(loader(name))
+
+    def _call_cert(self, name):
+        return self._call(test_util.load_cert, name)
+
+    def test_cert_one_san_no_common(self):
+        self.assertEqual(self._call_cert('cert-nocn.der'),
+                         ['no-common-name.badssl.com'])
+
+    def test_cert_no_sans_yes_common(self):
+        self.assertEqual(self._call_cert('cert.pem'), ['example.com'])
+
+    def test_cert_two_sans_yes_common(self):
+        self.assertEqual(self._call_cert('cert-san.pem'),
+                         ['example.com', 'www.example.com'])
+
+
 class PyOpenSSLCertOrReqSANTest(unittest.TestCase):
     """Test for acme.crypto_util._pyopenssl_cert_or_req_san."""
 
diff --git a/acme/acme/testdata/cert-nocn.der b/acme/acme/testdata/cert-nocn.der
new file mode 100644
index 000000000..59da83ccc
Binary files /dev/null and b/acme/acme/testdata/cert-nocn.der differ