diff --git a/x509/x509ext.go b/x509/x509ext.go
index 26660300..bc780d64 100644
--- a/x509/x509ext.go
+++ b/x509/x509ext.go
@@ -149,8 +149,9 @@ func forEachSAN(extension []byte, callback func(ext asn1.RawValue) error) error
 	return nil
 }
 
-// MarshalSubjectAltName converts a SubjectAltName struct into a pkix.Extension.
-func MarshalSubjectAltName(san *SubjectAltName) (pkix.Extension, error) {
+// MarshalSubjectAltName converts a SubjectAltName struct into a pkix.Extension,
+// allowing callers to specify if the extension is critical.
+func MarshalSubjectAltName(san *SubjectAltName, critical bool) (pkix.Extension, error) {
 	var generalNames []asn1.RawValue
 	for _, permID := range san.PermanentIdentifiers {
 		val, err := marshalOtherName(oidPermanentIdentifier, permID)
@@ -171,7 +172,8 @@ func MarshalSubjectAltName(san *SubjectAltName) (pkix.Extension, error) {
 		return pkix.Extension{}, err
 	}
 	return pkix.Extension{
-		Id:    oid.SubjectAltName,
-		Value: val,
+		Id:       oid.SubjectAltName,
+		Critical: critical,
+		Value:    val,
 	}, nil
 }