diff --git a/authority/provisioner/nebula.go b/authority/provisioner/nebula.go
index a77f4281..71c57590 100644
--- a/authority/provisioner/nebula.go
+++ b/authority/provisioner/nebula.go
@@ -140,7 +140,8 @@ func (p *Nebula) AuthorizeSign(ctx context.Context, token string) ([]SignOption,
 	}
 
 	// The Nebula certificate will be available using the template variable Crt.
-	// For example {{ .Crt.Details.Groups }} can be used to get all the groups.
+	// For example {{ .AuthorizationCrt.Details.Groups }} can be used to get all
+	// the groups.
 	data.SetAuthorizationCertificate(crt)
 
 	templateOptions, err := TemplateOptions(p.Options, data)
diff --git a/authority/provisioner/x5c.go b/authority/provisioner/x5c.go
index 8710acb5..342ccd73 100644
--- a/authority/provisioner/x5c.go
+++ b/authority/provisioner/x5c.go
@@ -213,6 +213,11 @@ func (p *X5C) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 		data.SetToken(v)
 	}
 
+	// The X509 certificate will be available using the template variable Crt.
+	// For example {{ .AuthorizationCrt.DNSNames }} can be used to get all the
+	// domains.
+	data.SetAuthorizationCertificate(claims.chains[0][0])
+
 	templateOptions, err := TemplateOptions(p.Options, data)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "jwk.AuthorizeSign")
@@ -287,6 +292,11 @@ func (p *X5C) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption,
 		data.SetToken(v)
 	}
 
+	// The X509 certificate will be available using the template variable Crt.
+	// For example {{ .AuthorizationCrt.DNSNames }} can be used to get all the
+	// domains.
+	data.SetAuthorizationCertificate(claims.chains[0][0])
+
 	templateOptions, err := TemplateSSHOptions(p.Options, data)
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "x5c.AuthorizeSSHSign")