diff --git a/authority/authorize.go b/authority/authorize.go
index 1dd77c1a..17cd37a5 100644
--- a/authority/authorize.go
+++ b/authority/authorize.go
@@ -20,7 +20,7 @@ type idUsed struct {
 // Claims extends jwt.Claims with step attributes.
 type Claims struct {
 	jwt.Claims
-	SANS []string `json:"sans,omitempty"`
+	SANs []string `json:"sans,omitempty"`
 }
 
 // matchesAudience returns true if A and B share at least one element.
@@ -123,10 +123,10 @@ func (a *Authority) Authorize(ott string) ([]interface{}, error) {
 	// NOTE: This is for backwards compatibility with older versions of cli
 	// and certificates. Older versions added the token subject as the only SAN
 	// in a CSR by default.
-	if len(claims.SANS) == 0 {
-		claims.SANS = []string{claims.Subject}
+	if len(claims.SANs) == 0 {
+		claims.SANs = []string{claims.Subject}
 	}
-	dnsNames, ips := SplitSANS(claims.SANS)
+	dnsNames, ips := SplitSANs(claims.SANs)
 	if err != nil {
 		return nil, err
 	}
@@ -150,10 +150,10 @@ func (a *Authority) Authorize(ott string) ([]interface{}, error) {
 	return signOps, nil
 }
 
-// SplitSANS splits a slice of Subject Alternative Names into slices of
+// SplitSANs splits a slice of Subject Alternative Names into slices of
 // IP Addresses and DNS Names. If an element is not an IP address, then it
 // is bucketed as a DNS Name.
-func SplitSANS(sans []string) (dnsNames []string, ips []net.IP) {
+func SplitSANs(sans []string) (dnsNames []string, ips []net.IP) {
 	dnsNames = []string{}
 	ips = []net.IP{}
 	if sans == nil {
diff --git a/ca/client.go b/ca/client.go
index f6eea62d..5f997dea 100644
--- a/ca/client.go
+++ b/ca/client.go
@@ -452,7 +452,7 @@ func CreateSignRequest(ott string) (*api.SignRequest, crypto.PrivateKey, error)
 		return nil, nil, errors.Wrap(err, "error generating key")
 	}
 
-	dnsNames, ips := authority.SplitSANS(claims.SANS)
+	dnsNames, ips := authority.SplitSANs(claims.SANs)
 
 	template := &x509.CertificateRequest{
 		Subject: pkix.Name{