diff --git a/confluent_server/confluent/certutil.py b/confluent_server/confluent/certutil.py
index d7c6ba16..b87a3818 100644
--- a/confluent_server/confluent/certutil.py
+++ b/confluent_server/confluent/certutil.py
@@ -334,6 +334,7 @@ def create_certificate(keyout=None, certout=None, csrfile=None, subj=None, san=N
             dnsnames = set(ipaddrs)
             dnsnames.add(shortname)
             dnsnames.add(longname)
+        else:
             # nameconstraints preclude IP and shortname
             san = []
             dnsnames = set()
@@ -341,7 +342,6 @@ def create_certificate(keyout=None, certout=None, csrfile=None, subj=None, san=N
                 if longname.endswith(suffix):
                     dnsnames.add(longname)
                     break
-                    break
         for currip in ipaddrs:
             currname = socket.getnameinfo((currip, 0), 0)[0]
             for suffix in permitdomains: