diff --git a/authority/provisioner/k8sSA.go b/authority/provisioner/k8sSA.go
index 143e28f3..f9d1eeb0 100644
--- a/authority/provisioner/k8sSA.go
+++ b/authority/provisioner/k8sSA.go
@@ -206,13 +206,19 @@ func (p *K8sSA) AuthorizeRevoke(ctx context.Context, token string) error {
 
 // AuthorizeSign validates the given token.
 func (p *K8sSA) AuthorizeSign(ctx context.Context, token string) ([]SignOption, error) {
-	if _, err := p.authorizeToken(token, p.audiences.Sign); err != nil {
+	claims, err := p.authorizeToken(token, p.audiences.Sign)
+	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "k8ssa.AuthorizeSign")
 	}
 
+	// Add some values to use in custom templates.
+	data := x509util.NewTemplateData()
+	data.SetToken(claims)
+	data.SetCommonName(claims.ServiceAccountName)
+
 	// Certificate templates: on K8sSA the default template is the certificate
 	// request.
-	templateOptions, err := CustomTemplateOptions(p.Options, x509util.NewTemplateData(), x509util.CertificateRequestTemplate)
+	templateOptions, err := CustomTemplateOptions(p.Options, data, x509util.CertificateRequestTemplate)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "k8ssa.AuthorizeSign")
 	}