diff --git a/authority/authority.go b/authority/authority.go
index a4e107d8..f9ec6fbf 100644
--- a/authority/authority.go
+++ b/authority/authority.go
@@ -4,13 +4,18 @@ import (
 	"crypto/sha256"
 	realx509 "crypto/x509"
 	"encoding/hex"
+	"fmt"
+	"net"
 	"sync"
 	"time"
 
+	"github.com/pkg/errors"
 	"github.com/smallstep/cli/crypto/pemutil"
 	"github.com/smallstep/cli/crypto/x509util"
 )
 
+const legacyAuthority = "step-certificate-authority"
+
 // Authority implements the Certificate Authority internal interface.
 type Authority struct {
 	config                 *Config
@@ -23,6 +28,7 @@ type Authority struct {
 	provisionerIDIndex     *sync.Map
 	encryptedKeyIndex      *sync.Map
 	provisionerKeySetIndex *sync.Map
+	audiences              []string
 	// Do not re-initialize
 	initOnce bool
 }
@@ -64,6 +70,21 @@ func (a *Authority) init() error {
 	sum := sha256.Sum256(a.rootX509Crt.Raw)
 	a.certificates.Store(hex.EncodeToString(sum[:]), a.rootX509Crt)
 
+	// Define audiences: legacy + possible urls
+	_, port, err := net.SplitHostPort(a.config.Address)
+	if err != nil {
+		return errors.Wrapf(err, "error parsing %s", a.config.Address)
+	}
+	audiences := []string{legacyAuthority}
+	for _, name := range a.config.DNSNames {
+		if port == "443" {
+			audiences = append(audiences, fmt.Sprintf("https://%s/sign", name), fmt.Sprintf("https://%s/1.0/sign", name))
+		}
+		audiences = append(audiences, fmt.Sprintf("https://%s:%s/sign", name, port), fmt.Sprintf("https://%s:%s/1.0/sign", name, port))
+
+	}
+	a.audiences = audiences
+
 	// Decrypt and load intermediate public / private key pair.
 	if len(a.config.Password) > 0 {
 		a.intermediateIdentity, err = x509util.LoadIdentityFromDisk(
diff --git a/authority/authorize.go b/authority/authorize.go
index ba98e2cb..918a3b9e 100644
--- a/authority/authorize.go
+++ b/authority/authorize.go
@@ -15,10 +15,6 @@ type idUsed struct {
 	Subject string `json:"sub,omitempty"`
 }
 
-var (
-	validTokenAudience = []string{"https://ca/sign", "step-certificate-authority"}
-)
-
 func containsAtLeastOneAudience(claim []string, expected []string) bool {
 	if len(expected) == 0 {
 		return true
@@ -83,7 +79,7 @@ func (a *Authority) Authorize(ott string) ([]api.Claim, error) {
 			http.StatusUnauthorized, errContext}
 	}
 
-	if !containsAtLeastOneAudience(claims.Audience, validTokenAudience) {
+	if !containsAtLeastOneAudience(claims.Audience, a.audiences) {
 		return nil, &apiError{errors.New("invalid audience"), http.StatusUnauthorized,
 			errContext}
 	}