diff --git a/authority/admin/api/policy.go b/authority/admin/api/policy.go
index d294060c..b84c18c5 100644
--- a/authority/admin/api/policy.go
+++ b/authority/admin/api/policy.go
@@ -2,7 +2,6 @@ package api
 
 import (
 	"errors"
-	"fmt"
 	"net/http"
 
 	"go.step.sm/linkedca"
@@ -87,9 +86,7 @@ func (par *PolicyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r
 		return
 	}
 
-	fmt.Println("before: ", newPolicy)
-	applyDefaults(newPolicy)
-	fmt.Println("after: ", newPolicy)
+	applyConditionalDefaults(newPolicy)
 
 	adm := linkedca.AdminFromContext(ctx)
 
@@ -107,7 +104,7 @@ func (par *PolicyAdminResponder) CreateAuthorityPolicy(w http.ResponseWriter, r
 		return
 	}
 
-	render.JSONStatus(w, createdPolicy, http.StatusCreated)
+	render.ProtoJSONStatus(w, createdPolicy, http.StatusCreated)
 }
 
 // UpdateAuthorityPolicy handles the PUT /admin/authority/policy request
@@ -208,7 +205,7 @@ func (par *PolicyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter,
 		return
 	}
 
-	applyDefaults(newPolicy)
+	applyConditionalDefaults(newPolicy)
 
 	prov.Policy = newPolicy
 
@@ -375,12 +372,13 @@ func (par *PolicyAdminResponder) DeleteACMEAccountPolicy(w http.ResponseWriter,
 	render.JSONStatus(w, DeleteResponse{Status: "ok"}, http.StatusOK)
 }
 
-func applyDefaults(p *linkedca.Policy) {
+// applyConditionalDefaults applies default settings in case they're not provided
+// in the request body.
+func applyConditionalDefaults(p *linkedca.Policy) {
 	if p.GetX509() == nil {
 		return
 	}
 	if p.GetX509().VerifySubjectCommonName == nil {
 		p.X509.VerifySubjectCommonName = &wrapperspb.BoolValue{Value: true}
 	}
-	return
 }
diff --git a/authority/admin/api/policy_test.go b/authority/admin/api/policy_test.go
index cc4f64fb..41fe05ae 100644
--- a/authority/admin/api/policy_test.go
+++ b/authority/admin/api/policy_test.go
@@ -12,6 +12,7 @@ import (
 	"testing"
 
 	"google.golang.org/protobuf/encoding/protojson"
+	"google.golang.org/protobuf/types/known/wrapperspb"
 
 	"go.step.sm/linkedca"
 
@@ -1920,3 +1921,83 @@ func TestPolicyAdminResponder_DeleteACMEAccountPolicy(t *testing.T) {
 		})
 	}
 }
+
+func Test_applyConditionalDefaults(t *testing.T) {
+	tests := []struct {
+		name     string
+		policy   *linkedca.Policy
+		expected *linkedca.Policy
+	}{
+		{
+			name: "no-x509",
+			policy: &linkedca.Policy{
+				Ssh: &linkedca.SSHPolicy{},
+			},
+			expected: &linkedca.Policy{
+				Ssh: &linkedca.SSHPolicy{},
+			},
+		},
+		{
+			name: "with-x509-verify-subject-common-name",
+			policy: &linkedca.Policy{
+				X509: &linkedca.X509Policy{
+					Allow: &linkedca.X509Names{
+						Dns: []string{"*.local"},
+					},
+					VerifySubjectCommonName: &wrapperspb.BoolValue{Value: true},
+				},
+			},
+			expected: &linkedca.Policy{
+				X509: &linkedca.X509Policy{
+					Allow: &linkedca.X509Names{
+						Dns: []string{"*.local"},
+					},
+					VerifySubjectCommonName: &wrapperspb.BoolValue{Value: true},
+				},
+			},
+		},
+		{
+			name: "without-x509-verify-subject-common-name",
+			policy: &linkedca.Policy{
+				X509: &linkedca.X509Policy{
+					Allow: &linkedca.X509Names{
+						Dns: []string{"*.local"},
+					},
+					VerifySubjectCommonName: &wrapperspb.BoolValue{Value: false},
+				},
+			},
+			expected: &linkedca.Policy{
+				X509: &linkedca.X509Policy{
+					Allow: &linkedca.X509Names{
+						Dns: []string{"*.local"},
+					},
+					VerifySubjectCommonName: &wrapperspb.BoolValue{Value: false},
+				},
+			},
+		},
+		{
+			name: "no-x509-verify-subject-common-name",
+			policy: &linkedca.Policy{
+				X509: &linkedca.X509Policy{
+					Allow: &linkedca.X509Names{
+						Dns: []string{"*.local"},
+					},
+				},
+			},
+			expected: &linkedca.Policy{
+				X509: &linkedca.X509Policy{
+					Allow: &linkedca.X509Names{
+						Dns: []string{"*.local"},
+					},
+					VerifySubjectCommonName: &wrapperspb.BoolValue{Value: true},
+				},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			applyConditionalDefaults(tt.policy)
+			assert.Equals(t, tt.expected, tt.policy)
+		})
+	}
+}
diff --git a/go.mod b/go.mod
index ed1d26bf..104538a3 100644
--- a/go.mod
+++ b/go.mod
@@ -20,7 +20,7 @@ require (
 	github.com/go-kit/kit v0.10.0 // indirect
 	github.com/go-piv/piv-go v1.7.0
 	github.com/golang/mock v1.6.0
-	github.com/golang/protobuf v1.5.2
+	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/go-cmp v0.5.7
 	github.com/google/uuid v1.3.0
 	github.com/googleapis/gax-go/v2 v2.1.1