diff --git a/builtin/logical/ssh/path_issue_sign.go b/builtin/logical/ssh/path_issue_sign.go
index e6f225ffd..8e6056c46 100644
--- a/builtin/logical/ssh/path_issue_sign.go
+++ b/builtin/logical/ssh/path_issue_sign.go
@@ -93,7 +93,7 @@ func (b *backend) pathSignIssueCertificateHelper(ctx context.Context, req *logic
 		return logical.ErrorResponse(err.Error()), nil
 	}
 
-	extensions, err := b.calculateExtensions(data, req, role)
+	extensions, addExtTemplatingWarning, err := b.calculateExtensions(data, req, role)
 	if err != nil {
 		return logical.ErrorResponse(err.Error()), nil
 	}
@@ -140,6 +140,10 @@ func (b *backend) pathSignIssueCertificateHelper(ctx context.Context, req *logic
 		},
 	}
 
+	if addExtTemplatingWarning {
+		response.AddWarning("default_extension templating enabled with at least one extension requiring identity templating. However, this request lacked identity entity information, causing one or more extensions to be skipped from the generated certificate.")
+	}
+
 	return response, nil
 }
 
@@ -300,7 +304,7 @@ func (b *backend) calculateCriticalOptions(data *framework.FieldData, role *sshR
 	return criticalOptions, nil
 }
 
-func (b *backend) calculateExtensions(data *framework.FieldData, req *logical.Request, role *sshRole) (map[string]string, error) {
+func (b *backend) calculateExtensions(data *framework.FieldData, req *logical.Request, role *sshRole) (map[string]string, bool, error) {
 	unparsedExtensions := data.Get("extensions").(map[string]interface{})
 	extensions := make(map[string]string)
 
@@ -308,7 +312,7 @@ func (b *backend) calculateExtensions(data *framework.FieldData, req *logical.Re
 		extensions := convertMapToStringValue(unparsedExtensions)
 		if role.AllowedExtensions == "*" {
 			// Allowed extensions was configured to allow all
-			return extensions, nil
+			return extensions, false, nil
 		}
 
 		notAllowed := []string{}
@@ -320,11 +324,13 @@ func (b *backend) calculateExtensions(data *framework.FieldData, req *logical.Re
 		}
 
 		if len(notAllowed) != 0 {
-			return nil, fmt.Errorf("extensions %v are not on allowed list", notAllowed)
+			return nil, false, fmt.Errorf("extensions %v are not on allowed list", notAllowed)
 		}
-		return extensions, nil
+		return extensions, false, nil
 	}
 
+	haveMissingEntityInfoWithTemplatedExt := false
+
 	if role.DefaultExtensionsTemplate {
 		for extensionKey, extensionValue := range role.DefaultExtensions {
 			// Look for templating markers {{ .* }}
@@ -337,8 +343,10 @@ func (b *backend) calculateExtensions(data *framework.FieldData, req *logical.Re
 						// Template returned an extension value that we can use
 						extensions[extensionKey] = templateExtensionValue
 					} else {
-						return nil, fmt.Errorf("template '%s' could not be rendered -> %s", extensionValue, err)
+						return nil, false, fmt.Errorf("template '%s' could not be rendered -> %s", extensionValue, err)
 					}
+				} else {
+					haveMissingEntityInfoWithTemplatedExt = true
 				}
 			} else {
 				// Static extension value or err template
@@ -349,7 +357,7 @@ func (b *backend) calculateExtensions(data *framework.FieldData, req *logical.Re
 		extensions = role.DefaultExtensions
 	}
 
-	return extensions, nil
+	return extensions, haveMissingEntityInfoWithTemplatedExt, nil
 }
 
 func (b *backend) calculateTTL(data *framework.FieldData, role *sshRole) (time.Duration, error) {