diff --git a/account/mksyscert.in b/account/mksyscert.in
index fa7d7da1e1644d0eedcef51c7b1f96022796f1b3..1faedc409e09572a1505feeb8280a4afdb76f461 100755
--- a/account/mksyscert.in
+++ b/account/mksyscert.in
@@ -218,6 +218,9 @@ system("cp -f $TEMPLATE syscert.cnf") == 0
 open(TEMP, ">>syscert.cnf")
     or fatal("Could not open $TEMPLATE for append: $!");
 
+if (defined($urn)) {
+    print TEMP "subjectAltName=\@req_altname\n";
+}
 print TEMP "basicConstraints=critical,CA:" .
     ( $is_ca ? "TRUE" : "FALSE" ) . "\n\n";
 
@@ -241,10 +244,12 @@ print TEMP "OU\t\t= \"$orgunit\"\n";
 print TEMP "CN\t\t= $uuid\n";
 print TEMP "emailAddress\t= $email\n";
 
-print TEMP "\n";
-print TEMP "[ req_altname ]\n";
-print TEMP "URI=$urn\n" if defined( $urn );
-print TEMP "\n";
+if (defined($urn)) {
+    print TEMP "\n";
+    print TEMP "[ req_altname ]\n";
+    print TEMP "URI=$urn\n";
+    print TEMP "\n";
+}
 
 close(TEMP)
     or fatal("Could not close syscert.cnf: $!");
diff --git a/ssl/syscert.cnf.in b/ssl/syscert.cnf.in
index 03dfea101bf50cd980aed350686090ff23352561..cc2ba70f456514850f348e0fffbb904add18817b 100644
--- a/ssl/syscert.cnf.in
+++ b/ssl/syscert.cnf.in
@@ -12,7 +12,7 @@ oid_section		= protogeni_oids
 [ protogeni_oids ]
 xmlrpc = 2.25.305821105408246119474742976030998643995
 
+# Modifed for update 5.21
 # This will be appended to by mksyscert.
 [ request_extensions ]
 subjectKeyIdentifier=hash
-subjectAltName=@req_altname