pub fn extract_machine_id(cn: &str, suffix: &str) -> String
Idempotent: passes through bare CNs unchanged, strips canonical wrapper.