diff --git a/pkg/util/pki/csr.go b/pkg/util/pki/csr.go
index 2f9d4919b..6e51b1581 100644
--- a/pkg/util/pki/csr.go
+++ b/pkg/util/pki/csr.go
@@ -188,6 +188,7 @@ func GenerateCSR(crt *v1alpha2.Certificate) (*x509.CertificateRequest, error) {
 		},
 		DNSNames:    dnsNames,
 		IPAddresses: iPAddresses,
+		URIs:        uriNames,
 		// TODO: work out how best to handle extensions/key usages here
 		ExtraExtensions: []pkix.Extension{},
 	}, nil
diff --git a/test/e2e/framework/helper/certificaterequests.go b/test/e2e/framework/helper/certificaterequests.go
index 633fa626a..d6e894358 100644
--- a/test/e2e/framework/helper/certificaterequests.go
+++ b/test/e2e/framework/helper/certificaterequests.go
@@ -96,7 +96,6 @@ func (h *Helper) ValidateIssuedCertificateRequest(cr *v1alpha2.CertificateReques
 	// TODO: validate private key KeySize
 
 	// check the provided certificate is valid
-	expectedCN := csr.Subject.CommonName
 	expectedOrganization := csr.Subject.Organization
 	expectedDNSNames := csr.DNSNames
 	expectedIPAddresses := csr.IPAddresses
@@ -107,7 +106,17 @@ func (h *Helper) ValidateIssuedCertificateRequest(cr *v1alpha2.CertificateReques
 		return nil, err
 	}
 
-	if expectedCN != cert.Subject.CommonName ||
+	commonNameCorrect := true
+	expectedCN := csr.Subject.CommonName
+	if len(expectedCN) == 0 && len(cert.Subject.CommonName) > 0 {
+		if !util.Contains(cert.DNSNames, cert.Subject.CommonName) {
+			commonNameCorrect = false
+		}
+	} else if expectedCN != cert.Subject.CommonName {
+		commonNameCorrect = false
+	}
+
+	if !commonNameCorrect ||
 		!util.EqualUnsorted(cert.DNSNames, expectedDNSNames) ||
 		!util.EqualUnsorted(cert.Subject.Organization, expectedOrganization) ||
 		!util.EqualIPsUnsorted(cert.IPAddresses, expectedIPAddresses) ||
diff --git a/test/e2e/framework/helper/certificates.go b/test/e2e/framework/helper/certificates.go
index cc21c9dbc..1453c0fcd 100644
--- a/test/e2e/framework/helper/certificates.go
+++ b/test/e2e/framework/helper/certificates.go
@@ -140,7 +140,6 @@ func (h *Helper) ValidateIssuedCertificate(certificate *v1alpha2.Certificate, ro
 	// TODO: validate private key KeySize
 
 	// check the provided certificate is valid
-	expectedCN := certificate.Spec.CommonName
 	expectedOrganization := pki.OrganizationForCertificate(certificate)
 	expectedDNSNames := pki.DNSNamesForCertificate(certificate)
 	uris, err := pki.URIsForCertificate(certificate)
@@ -159,7 +158,18 @@ func (h *Helper) ValidateIssuedCertificate(certificate *v1alpha2.Certificate, ro
 	if err != nil {
 		return nil, err
 	}
-	if expectedCN != cert.Subject.CommonName || !util.EqualUnsorted(cert.DNSNames, expectedDNSNames) || !util.EqualUnsorted(pki.URLsToString(cert.URIs), expectedURIs) ||
+
+	commonNameCorrect := true
+	expectedCN := certificate.Spec.CommonName
+	if len(expectedCN) == 0 && len(cert.Subject.CommonName) > 0 {
+		if !util.Contains(cert.DNSNames, cert.Subject.CommonName) {
+			commonNameCorrect = false
+		}
+	} else if expectedCN != cert.Subject.CommonName {
+		commonNameCorrect = false
+	}
+
+	if !commonNameCorrect || !util.EqualUnsorted(cert.DNSNames, expectedDNSNames) || !util.EqualUnsorted(pki.URLsToString(cert.URIs), expectedURIs) ||
 		!(len(cert.Subject.Organization) == 0 || util.EqualUnsorted(cert.Subject.Organization, expectedOrganization)) {
 		return nil, fmt.Errorf("Expected certificate valid for CN %q, O %v, dnsNames %v, uriSANs %v,but got a certificate valid for CN %q, O %v, dnsNames %v, uriSANs %v",
 			expectedCN, expectedOrganization, expectedDNSNames, expectedURIs, cert.Subject.CommonName, cert.Subject.Organization, cert.DNSNames, cert.URIs)