diff --git a/ca.js b/ca.js
index 8bcea53..46afa59 100644
--- a/ca.js
+++ b/ca.js
@@ -81,8 +81,24 @@ function generateCertificate(privateKey, publicKey) {
 	return pki.certificateToPem(cert);
 }
 
-function verifyCSR(csrPem) {
+function verifyCSR(csrPem, allowedDomains) {
 	const csr = pki.certificationRequestFromPem(csrPem);
+	const subject = csr.subject.getField('CN').value;
+	if (!allowedDomains.includes(subject)) {
+		throw new Error('No permission for subject');
+	}
+	const exts = csr.getAttribute({name: 'extensionRequest'});
+	if (exts && exts.extensions) {
+		const altNamesExt = exts.extensions.find(ext => ext.name === 'subjectAltName');
+		if (altNamesExt) {
+			const badAltNames = altNamesExt.altNames.some(altName => {
+				return !allowedDomains.includes(altName.value);
+			});
+			if (badAltNames) {
+				throw new Error('No permission for altnames');
+			}
+		}
+	}
 	const caCert = RootCACertificate;
 	const caKey = RootCAPrivateKey;
 	if (!csr.verify()) {
diff --git a/controllers/certs.js b/controllers/certs.js
index 6fc2586..3113cbb 100644
--- a/controllers/certs.js
+++ b/controllers/certs.js
@@ -235,14 +235,11 @@ exports.deleteCert = async (req, res) => {
  * Delete the map entries of the body 'domain'
  */
 exports.verifyUserCSR = (req, res, next) => {
-	if (res.locals.user.username !== "admin") {
-		return dynamicResponse(req, res, 403, { error: 'CA signed origin certs are only supported on enterprise plans' });
-	}
 	if(!req.body || !req.body.csr || typeof req.body.csr !== 'string' || req.body.csr.length === 0) {
 		return dynamicResponse(req, res, 400, { error: 'Invalid csr' });
 	}
 	try {
-		const signedCert = verifyCSR(req.body.csr);
+		const signedCert = verifyCSR(req.body.csr, res.locals.user.domains);
 		return dynamicResponse(req, res, 200, `<pre>${signedCert}</pre>`);
 	} catch (e) {
 		return next(e);
diff --git a/server.js b/server.js
index 9a68dae..ec0f1c3 100644
--- a/server.js
+++ b/server.js
@@ -43,8 +43,9 @@ app.prepare()
 		});
 
 		server.use((err, req, res, next) => {
-			console.error(err)
-			return res.end();
+			const now = Date.now();
+			console.error('An error occurred', now, err);
+			return res.send('An error occurred. Please contact support with code: '+now);
 		});
 
 		server.listen(3000, (err) => {