diff --git a/webserver/chocolate.py b/webserver/chocolate.py
index 0bcd862d8..f1bce6c38 100755
--- a/webserver/chocolate.py
+++ b/webserver/chocolate.py
@@ -140,7 +140,10 @@ class index:
         if not CSR.csr_goodkey(csr):
             self.die(r, r.UnsafeKey, nonce)
             return
-        # TODO: check goodness of cn field
+        if not CSR.can_sign(CSR.cn(csr)):
+            self.die(r, r.CannotIssueThatName, nonce)
+            return
+        # TODO: check goodness of subjectAltName fields!
         self.sessions.make_request(self.session, (nonce, CSR.cn(csr), csr))
         r.proceed.timestamp = int(time.time())
         r.proceed.polldelay = 10