diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
index 41acd51781..d35ecc3f02 100644
--- a/scripts/base/init-bare.bro
+++ b/scripts/base/init-bare.bro
@@ -2774,20 +2774,20 @@ export {
 module X509;
 export {
 	type Certificate: record {
-		version: count;	##< Version number.
-		serial: string;	##< Serial number.
-		subject: string;	##< Subject.
-		issuer: string;	##< Issuer.
+		version: count &log;	##< Version number.
+		serial: string &log;	##< Serial number.
+		subject: string &log;	##< Subject.
+		issuer: string &log;	##< Issuer.
 		cn: string &optional; ##< Last (most specific) common name.
-		not_valid_before: time;	##< Timestamp before when certificate is not valid.
-		not_valid_after: time;	##< Timestamp after when certificate is not valid.
-		key_alg: string;	##< Name of the key algorithm
-		sig_alg: string;	##< Name of the signature algorithm
-		key_type: string &optional;	##< Key type, if key parseable by openssl (either rsa, dsa or ec)
-		key_length: count &optional;	##< Key length in bits
-		exponent: string &optional;	##< Exponent, if RSA-certificate
-		curve: string &optional;	##< Curve, if EC-certificate
-	} &log;
+		not_valid_before: time &log;	##< Timestamp before when certificate is not valid.
+		not_valid_after: time &log;	##< Timestamp after when certificate is not valid.
+		key_alg: string &log;	##< Name of the key algorithm
+		sig_alg: string &log;	##< Name of the signature algorithm
+		key_type: string &optional &log;	##< Key type, if key parseable by openssl (either rsa, dsa or ec)
+		key_length: count &optional &log;	##< Key length in bits
+		exponent: string &optional &log;	##< Exponent, if RSA-certificate
+		curve: string &optional &log;	##< Curve, if EC-certificate
+	};
 
 	type Extension: record {
 		name: string;	##< Long name of extension. oid if name not known
diff --git a/testing/btest/Baseline/scripts.base.protocols.ssl.common_name/.stdout b/testing/btest/Baseline/scripts.base.protocols.ssl.common_name/.stdout
new file mode 100644
index 0000000000..0642f10875
--- /dev/null
+++ b/testing/btest/Baseline/scripts.base.protocols.ssl.common_name/.stdout
@@ -0,0 +1,3 @@
+*.gstatic.com
+Google Internet Authority
+No CN
diff --git a/testing/btest/Traces/tls/cert-no-cn.pcap b/testing/btest/Traces/tls/cert-no-cn.pcap
new file mode 100644
index 0000000000..d208c696b5
Binary files /dev/null and b/testing/btest/Traces/tls/cert-no-cn.pcap differ
diff --git a/testing/btest/scripts/base/protocols/ssl/common_name.test b/testing/btest/scripts/base/protocols/ssl/common_name.test
new file mode 100644
index 0000000000..fa14e19045
--- /dev/null
+++ b/testing/btest/scripts/base/protocols/ssl/common_name.test
@@ -0,0 +1,13 @@
+# This tests a normal SSL connection and the log it outputs.
+
+# @TEST-EXEC: bro -r $TRACES/tls/tls-conn-with-extensions.trace %INPUT
+# @TEST-EXEC: bro -C -r $TRACES/tls/cert-no-cn.pcap %INPUT
+# @TEST-EXEC: btest-diff .stdout
+
+event x509_certificate(f: fa_file, cert_ref: opaque of x509, cert: X509::Certificate)
+	{
+	if ( cert?$cn )
+		print cert$cn;
+	else
+		print "No CN";
+	}