diff --git a/builtin/credential/cert/path_login.go b/builtin/credential/cert/path_login.go
index f517cbb4cf70..51f7b59fb526 100644
--- a/builtin/credential/cert/path_login.go
+++ b/builtin/credential/cert/path_login.go
@@ -439,12 +439,28 @@ func validateConnState(roots *x509.CertPool, cs *tls.ConnectionState) ([][]*x509
 		}
 	}
 
-	chains, err := certs[0].Verify(opts)
-	if err != nil {
-		if _, ok := err.(x509.UnknownAuthorityError); ok {
-			return nil, nil
+	var chains [][]*x509.Certificate
+	var err error
+	switch {
+	case len(certs[0].DNSNames) > 0:
+		for _, dnsName := range certs[0].DNSNames {
+			opts.DNSName = dnsName
+			chains, err = certs[0].Verify(opts)
+			if err != nil {
+				if _, ok := err.(x509.UnknownAuthorityError); ok {
+					return nil, nil
+				}
+				return nil, errors.New("failed to verify client's certificate: " + err.Error())
+			}
+		}
+	default:
+		chains, err = certs[0].Verify(opts)
+		if err != nil {
+			if _, ok := err.(x509.UnknownAuthorityError); ok {
+				return nil, nil
+			}
+			return nil, errors.New("failed to verify client's certificate: " + err.Error())
 		}
-		return nil, errors.New("failed to verify client's certificate: " + err.Error())
 	}
 
 	return chains, nil