diff --git a/agent/connect/ca/provider_consul.go b/agent/connect/ca/provider_consul.go
index 01c4987e07d8..3b833fc87c6d 100644
--- a/agent/connect/ca/provider_consul.go
+++ b/agent/connect/ca/provider_consul.go
@@ -227,7 +227,13 @@ func (c *ConsulProvider) GenerateIntermediateCSR() (string, string, error) {
 		return "", "", err
 	}
 
-	csr, err := connect.CreateCACSR(c.spiffeID, signer)
+	uid, err := connect.CompactUID()
+	if err != nil {
+		return "", "", err
+	}
+	cn := connect.CACN("consul", uid, c.clusterID, c.isPrimary)
+
+	csr, err := connect.CreateCACSR(c.spiffeID, cn, signer)
 	if err != nil {
 		return "", "", err
 	}
diff --git a/agent/connect/ca/provider_consul_test.go b/agent/connect/ca/provider_consul_test.go
index 0c6959c7f5d4..d3903c3497d5 100644
--- a/agent/connect/ca/provider_consul_test.go
+++ b/agent/connect/ca/provider_consul_test.go
@@ -452,6 +452,10 @@ func testSignIntermediateCrossDC(t *testing.T, provider1, provider2 Provider) {
 	// Sign the CSR with provider1.
 	intermediatePEM, err := provider1.SignIntermediate(csr)
 	require.NoError(t, err)
+	intermediateCert, err := connect.ParseCert(intermediatePEM)
+	require.NoError(t, err)
+	require.NotEmpty(t, intermediateCert.Subject.CommonName)
+
 	root, err := provider1.GenerateCAChain()
 	require.NoError(t, err)
 	rootPEM := root
@@ -478,6 +482,8 @@ func testSignIntermediateCrossDC(t *testing.T, provider1, provider2 Provider) {
 	require.NoError(t, err)
 	requireNotEncoded(t, cert.SubjectKeyId)
 	requireNotEncoded(t, cert.AuthorityKeyId)
+	require.NotEmpty(t, cert.Issuer.CommonName)
+	require.Equal(t, cert.Issuer.CommonName, intermediateCert.Subject.CommonName)
 
 	// Check that the leaf signed by the new cert can be verified using the
 	// returned cert chain (signed intermediate + remote root).
diff --git a/agent/connect/csr.go b/agent/connect/csr.go
index 9cf0d884dea7..c54a5726fcc7 100644
--- a/agent/connect/csr.go
+++ b/agent/connect/csr.go
@@ -94,13 +94,31 @@ func CreateCSR(uri CertURI, privateKey crypto.Signer,
 
 // CreateCSR returns a CA CSR to sign the given service along with the PEM-encoded
 // private key for this certificate.
-func CreateCACSR(uri CertURI, privateKey crypto.Signer) (string, error) {
+func CreateCACSR(uri CertURI, commonName string, privateKey crypto.Signer) (string, error) {
 	ext, err := CreateCAExtension()
 	if err != nil {
 		return "", err
 	}
-
-	return CreateCSR(uri, privateKey, nil, nil, ext)
+        template := &x509.CertificateRequest{
+                URIs:               []*url.URL{uri.URI()},
+                SignatureAlgorithm: SigAlgoForKey(privateKey),
+                ExtraExtensions:    []pkix.Extension{ext},
+		Subject:            pkix.Name{CommonName: commonName},
+        }
+
+        // Create the CSR itself
+        var csrBuf bytes.Buffer
+        bs, err := x509.CreateCertificateRequest(rand.Reader, template, privateKey)
+        if err != nil {
+                return "", err
+        }
+
+        err = pem.Encode(&csrBuf, &pem.Block{Type: "CERTIFICATE REQUEST", Bytes: bs})
+        if err != nil {
+                return "", err
+        }
+
+        return csrBuf.String(), nil
 }
 
 // CreateCAExtension creates a pkix.Extension for the x509 Basic Constraints