diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go
index bbe506f35b46..33be0946a706 100644
--- a/builtin/logical/pki/cert_util.go
+++ b/builtin/logical/pki/cert_util.go
@@ -41,7 +41,7 @@ var (
 	// when doing the idna conversion, this appears to only affect output, not
 	// input, so it will allow e.g. host^123.example.com straight through. So
 	// we still need to use this to check the output.
-	hostnameRegex                = regexp.MustCompile(`^(\*\.)?(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])$`)
+	hostnameRegex                = regexp.MustCompile(`^(\*\.)?(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])\.?$`)
 	oidExtensionBasicConstraints = []int{2, 5, 29, 19}
 	oidExtensionSubjectAltName   = []int{2, 5, 29, 17}
 )
diff --git a/builtin/logical/pki/cert_util_test.go b/builtin/logical/pki/cert_util_test.go
index bd9517b2ce6b..d457e14dae87 100644
--- a/builtin/logical/pki/cert_util_test.go
+++ b/builtin/logical/pki/cert_util_test.go
@@ -158,3 +158,35 @@ func TestPki_MultipleOUs(t *testing.T) {
 		t.Fatalf("Expected %v, got %v", expected, actual)
 	}
 }
+
+func TestPki_PermitFQDNs(t *testing.T) {
+	var b backend
+	fields := addCACommonFields(map[string]*framework.FieldSchema{})
+
+	apiData := &framework.FieldData{
+		Schema: fields,
+		Raw: map[string]interface{}{
+			"common_name": "example.com.",
+			"ttl":         3600,
+		},
+	}
+	input := &inputBundle{
+		apiData: apiData,
+		role: &roleEntry{
+			AllowAnyName:     true,
+			MaxTTL:           3600,
+			EnforceHostnames: true,
+		},
+	}
+	cb, err := generateCreationBundle(&b, input, nil, nil)
+	if err != nil {
+		t.Fatalf("Error: %v", err)
+	}
+
+	expected := []string{"example.com."}
+	actual := cb.Params.DNSNames
+
+	if !reflect.DeepEqual(expected, actual) {
+		t.Fatalf("Expected %v, got %v", expected, actual)
+	}
+}