diff --git a/aperture.go b/aperture.go
index 3df9902..f87c398 100644
--- a/aperture.go
+++ b/aperture.go
@@ -693,7 +693,15 @@ func getTLSConfig(serverName, baseDir string, autoCert bool) (
 	// exist).
 	tlsKeyFile := filepath.Join(apertureDir, defaultTLSKeyFilename)
 	tlsCertFile := filepath.Join(apertureDir, defaultTLSCertFilename)
-	tlsExtraDomains := []string{serverName}
+
+	// Go 1.25 tightened x509 SAN validation and now rejects empty dNSName
+	// entries (`x509: SAN dNSName is malformed`). When users rely on the
+	// default config (no server name), we still want to generate a usable
+	// self-signed cert, so we only append non-empty hostnames.
+	var tlsExtraDomains []string
+	if serverName != "" {
+		tlsExtraDomains = append(tlsExtraDomains, serverName)
+	}
 	if !fileExists(tlsCertFile) && !fileExists(tlsKeyFile) {
 		log.Infof("Generating TLS certificates...")
 		certBytes, keyBytes, err := cert.GenCertPair(
@@ -754,7 +762,7 @@ func getTLSConfig(serverName, baseDir string, autoCert bool) (
 
 		log.Infof("Renewing TLS certificates...")
 		certBytes, keyBytes, err := cert.GenCertPair(
-			selfSignedCertOrganization, nil, nil, false,
+			selfSignedCertOrganization, nil, tlsExtraDomains, false,
 			selfSignedCertValidity,
 		)
 		if err != nil {
diff --git a/aperture_test.go b/aperture_test.go
new file mode 100644
index 0000000..a28e4f3
--- /dev/null
+++ b/aperture_test.go
@@ -0,0 +1,18 @@
+package aperture
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// TestGetTLSConfigAllowsEmptyServerName ensures that generating a default
+// self-signed TLS cert without a server name succeeds. This used to work
+// before Go 1.25 tightened SAN validation, so we rely on Aperture handling it.
+func TestGetTLSConfigAllowsEmptyServerName(t *testing.T) {
+	t.Parallel()
+
+	cfg, err := getTLSConfig("", t.TempDir(), false)
+	require.NoError(t, err)
+	require.NotNil(t, cfg)
+}