diff --git a/authority/provisioner/aws.go b/authority/provisioner/aws.go
index 45abac97..9d41f3e2 100644
--- a/authority/provisioner/aws.go
+++ b/authority/provisioner/aws.go
@@ -290,14 +290,15 @@ func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 	var so []SignOption
 	if p.DisableCustomSANs {
 		dnsName := fmt.Sprintf("ip-%s.%s.compute.internal", strings.Replace(doc.PrivateIP, ".", "-", -1), doc.Region)
-		data.SetSANs([]string{dnsName, doc.PrivateIP})
-
 		so = append(so, dnsNamesValidator([]string{dnsName}))
 		so = append(so, ipAddressesValidator([]net.IP{
 			net.ParseIP(doc.PrivateIP),
 		}))
 		so = append(so, emailAddressesValidator(nil))
 		so = append(so, urisValidator(nil))
+
+		// Template options
+		data.SetSANs([]string{dnsName, doc.PrivateIP})
 	}
 
 	templateOptions, err := CustomTemplateOptions(p.Options, data, x509util.DefaultIIDLeafTemplate)
diff --git a/authority/provisioner/gcp.go b/authority/provisioner/gcp.go
index 61c815dc..6a9afd1c 100644
--- a/authority/provisioner/gcp.go
+++ b/authority/provisioner/gcp.go
@@ -221,6 +221,7 @@ func (p *GCP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 	// Template options
 	data := x509util.NewTemplateData()
 	data.SetToken(claims)
+	data.SetCommonName(ce.InstanceName)
 
 	// Enforce known common name and default DNS if configured.
 	// By default we we'll accept the CN and SANs in the CSR.
diff --git a/x509util/templates.go b/x509util/templates.go
index c7e8211e..55c90e52 100644
--- a/x509util/templates.go
+++ b/x509util/templates.go
@@ -78,7 +78,7 @@ const DefaultLeafTemplate = `{
 // The keyUsage "keyEncipherment" is special and it will be only used for RSA
 // keys.
 const DefaultIIDLeafTemplate = `{
-	"subject": {{ toJson .Subject }},
+	"subject": {{ toJson .CR.Subject }},
 	{{- if .SANs }}
 	"sans": {{ toJson .SANs }},
 	{{- else }}