diff --git a/ca.go b/ca.go
index 54ae09d..c21174e 100644
--- a/ca.go
+++ b/ca.go
@@ -478,7 +478,15 @@ func issueSingleCertificate(def CertificateDefinition) error {
 
 	// Add default dns SAN for server/server-only if none specified
 	if strings.Contains(def.Type, "server") && len(def.SAN) == 0 {
-		def.SAN = append(def.SAN, "dns:"+def.Subject)
+		// Extract CN if subject is a DN, else use subject as is
+		cn := def.Subject
+		if isDNFormat(def.Subject) {
+			dn := parseDistinguishedName(def.Subject)
+			if dn.CommonName != "" {
+				cn = dn.CommonName
+			}
+		}
+		def.SAN = append(def.SAN, "dns:"+cn)
 	}
 
 	priv, err := rsa.GenerateKey(rand.Reader, 4096)