diff --git a/authority/provisioner/jwk.go b/authority/provisioner/jwk.go
index c98d78f2..3a7512b8 100644
--- a/authority/provisioner/jwk.go
+++ b/authority/provisioner/jwk.go
@@ -190,7 +190,7 @@ func (p *JWK) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 		newProvisionerExtensionOption(TypeJWK, p.Name, p.Key.KeyID).WithControllerOptions(p.ctl),
 		profileDefaultDuration(p.ctl.Claimer.DefaultTLSCertDuration()),
 		// validators
-		commonNameValidator(claims.Subject),
+		commonNameSliceValidator(append([]string{claims.Subject}, claims.SANs...)),
 		defaultPublicKeyValidator{},
 		newDefaultSANsValidator(ctx, claims.SANs),
 		newValidityValidator(p.ctl.Claimer.MinTLSCertDuration(), p.ctl.Claimer.MaxTLSCertDuration()),
diff --git a/authority/provisioner/jwk_test.go b/authority/provisioner/jwk_test.go
index bffe1141..c688e914 100644
--- a/authority/provisioner/jwk_test.go
+++ b/authority/provisioner/jwk_test.go
@@ -309,8 +309,8 @@ func TestJWK_AuthorizeSign(t *testing.T) {
 							assert.Len(t, 0, v.KeyValuePairs)
 						case profileDefaultDuration:
 							assert.Equals(t, time.Duration(v), tt.prov.ctl.Claimer.DefaultTLSCertDuration())
-						case commonNameValidator:
-							assert.Equals(t, string(v), "subject")
+						case commonNameSliceValidator:
+							assert.Equals(t, []string(v), append([]string{"subject"}, tt.sans...))
 						case defaultPublicKeyValidator:
 						case *validityValidator:
 							assert.Equals(t, v.min, tt.prov.ctl.Claimer.MinTLSCertDuration())