diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go
index 8a96b81c2..096429067 100644
--- a/builtin/logical/pki/backend_test.go
+++ b/builtin/logical/pki/backend_test.go
@@ -2797,7 +2797,8 @@ func TestBackend_AllowedDomainsTemplate(t *testing.T) {
 
 	// Write role PKI.
 	_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
-		"allowed_domains":          []string{"foobar.com", "zipzap.com", "{{identity.entity.aliases." + userpassAccessor + ".name}}"},
+		"allowed_domains":          []string{"foobar.com", "zipzap.com", "{{identity.entity.aliases." + userpassAccessor + ".name}}",
+										     "foo.{{identity.entity.aliases." + userpassAccessor + ".name}}.example.com"},
 		"allowed_domains_template": true,
 		"allow_bare_domains":       true,
 	})
@@ -2824,6 +2825,12 @@ func TestBackend_AllowedDomainsTemplate(t *testing.T) {
 		t.Fatal("expected error")
 	}
 
+	// Issue certificate for foo.userpassname.domain.
+	_, err = client.Logical().Write("pki/issue/test", map[string]interface{}{"common_name": "foo.userpassname.example.com"})
+	if err != nil {
+		t.Fatal("expected error")
+	}
+
 	// Set allowed_domains_template to false.
 	_, err = client.Logical().Write("pki/roles/test", map[string]interface{}{
 		"allowed_domains_template": false,
diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go
index 608dbf014..2a2c9b9b5 100644
--- a/builtin/logical/pki/cert_util.go
+++ b/builtin/logical/pki/cert_util.go
@@ -315,8 +315,8 @@ func validateNames(b *backend, data *inputBundle, names []string) string {
 				}
 
 				if data.role.AllowedDomainsTemplate {
-					matched, _ := regexp.MatchString(`^{{.+?}}$`, currDomain)
-					if matched && data.req.EntityID != "" {
+					isTemplate, _ := framework.ValidateIdentityTemplate(currDomain)
+					if isTemplate && data.req.EntityID != "" {
 						tmpCurrDomain, err := framework.PopulateIdentityTemplate(currDomain, data.req.EntityID, b.System())
 						if err != nil {
 							continue