diff --git a/agent/cache-types/connect_ca_leaf.go b/agent/cache-types/connect_ca_leaf.go
index 64a9edb7e9..61c9fedc4e 100644
--- a/agent/cache-types/connect_ca_leaf.go
+++ b/agent/cache-types/connect_ca_leaf.go
@@ -503,6 +503,7 @@ func (c *ConnectCALeaf) generateNewLeaf(req *ConnectCALeafRequest,
 
 	// Build the cert uri
 	var id connect.CertURI
+	var commonName string
 	if req.Service != "" {
 		id = &connect.SpiffeIDService{
 			Host:       roots.TrustDomain,
@@ -510,12 +511,14 @@ func (c *ConnectCALeaf) generateNewLeaf(req *ConnectCALeafRequest,
 			Namespace:  "default",
 			Service:    req.Service,
 		}
+		commonName = fmt.Sprintf("%s.%s.service.%s.%s.%s", req.NodeName, req.ServiceID, roots.TrustDomain[:8], req.Datacenter, req.Domain)
 	} else if req.Agent != "" {
 		id = &connect.SpiffeIDAgent{
 			Host:       roots.TrustDomain,
 			Datacenter: req.Datacenter,
 			Agent:      req.Agent,
 		}
+		commonName = fmt.Sprintf("%s.agent.%s.%s.%s", req.NodeName, roots.TrustDomain[:8], req.Datacenter, req.Domain)
 	} else {
 		return result, errors.New("URI must be either service or agent")
 	}
@@ -527,7 +530,7 @@ func (c *ConnectCALeaf) generateNewLeaf(req *ConnectCALeafRequest,
 	}
 
 	// Create a CSR.
-	csr, err := connect.CreateCSR(id, pk)
+	csr, err := connect.CreateCSR(id, commonName, pk)
 	if err != nil {
 		return result, err
 	}
@@ -616,8 +619,11 @@ func (c *ConnectCALeaf) SupportsBlocking() bool {
 type ConnectCALeafRequest struct {
 	Token         string
 	Datacenter    string
+	Domain        string
 	Service       string // Service name, not ID
+	ServiceID     string
 	Agent         string // Agent name, not ID
+	NodeName      string
 	MinQueryIndex uint64
 	MaxQueryTime  time.Duration
 }