From 69902b01534aadc7151a674e683aaf8b7af5b34f Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Tue, 14 Jul 2020 12:42:46 -0700
Subject: [PATCH] For iid provisioners use only the csr name if custom sans is
 disabled.

The provisioner will validate the common name om a list of options.
---
 x509util/templates.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/x509util/templates.go b/x509util/templates.go
index 55c90e52..8ef8d5d3 100644
--- a/x509util/templates.go
+++ b/x509util/templates.go
@@ -78,10 +78,11 @@ const DefaultLeafTemplate = `{
 // The keyUsage "keyEncipherment" is special and it will be only used for RSA
 // keys.
 const DefaultIIDLeafTemplate = `{
-	"subject": {{ toJson .CR.Subject }},
 	{{- if .SANs }}
+	"subject": {"commonName": "{{ .CR.Subject.CommonName }}"},
 	"sans": {{ toJson .SANs }},
 	{{- else }}
+	"subject": {{ toJson .CR.Subject }},
 	"dnsNames": {{ toJson .CR.DNSNames }},
 	"emailAddresses": {{ toJson .CR.EmailAddresses }},
 	"ipAddresses": {{ toJson .CR.IPAddresses }},