diff --git a/authority/tls.go b/authority/tls.go
index 1c9c7897..76f1e43d 100644
--- a/authority/tls.go
+++ b/authority/tls.go
@@ -93,7 +93,7 @@ func withDefaultASN1DN(def *x509util.ASN1DN) x509util.WithOption {
 func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Options, extraOpts ...provisioner.SignOption) (*x509.Certificate, *x509.Certificate, error) {
 	var (
 		errContext     = context{"csr": csr, "signOptions": signOpts}
-		mods           = []x509util.WithOption{}
+		mods           = []x509util.WithOption{withDefaultASN1DN(a.config.AuthorityConfig.Template)}
 		certValidators = []provisioner.CertificateValidator{}
 	)
 	for _, op := range extraOpts {
@@ -102,7 +102,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
 			certValidators = append(certValidators, k)
 		case provisioner.CertificateRequestValidator:
 			if err := k.Valid(csr); err != nil {
-				return nil, nil, err
+				return nil, nil, &apiError{err, http.StatusUnauthorized, errContext}
 			}
 		case provisioner.ProfileModifier:
 			mods = append(mods, k.Option(signOpts))
@@ -140,7 +140,7 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Opti
 	// FIXME: This should be before creating the certificate.
 	for _, v := range certValidators {
 		if err := v.Valid(serverCert); err != nil {
-			return nil, nil, err
+			return nil, nil, &apiError{err, http.StatusUnauthorized, errContext}
 		}
 	}