diff --git a/templates/server/puppetserver/conf.d/auth.conf.erb b/templates/server/puppetserver/conf.d/auth.conf.erb
index 85c69346..d6069ecc 100644
--- a/templates/server/puppetserver/conf.d/auth.conf.erb
+++ b/templates/server/puppetserver/conf.d/auth.conf.erb
@@ -202,6 +202,46 @@ authorization: {
             sort-order: 500
             name: "puppetlabs cert clean"
         },
+        {
+            # Allow the CA CLI to access the certificate sign endpoint
+            match-request: {
+                path: "/puppet-ca/v1/sign"
+                type: path
+                method: post
+            }
+            allow: [
+<%- @server_ca_client_allowlist.each do |client| -%>
+                "<%= client %>",
+<%- end -%>
+                {
+                    extensions: {
+                        pp_cli_auth: "true"
+                    }
+                }
+            ]
+            sort-order: 500
+            name: "puppetlabs cert sign"
+        },
+        {
+            # Allow the CA CLI to access the certificate sign all endpoint
+            match-request: {
+                path: "/puppet-ca/v1/sign/all"
+                type: path
+                method: post
+            }
+            allow: [
+<%- @server_ca_client_allowlist.each do |client| -%>
+                "<%= client %>",
+<%- end -%>
+                {
+                    extensions: {
+                        pp_cli_auth: "true"
+                    }
+                }
+            ]
+            sort-order: 500
+            name: "puppetlabs cert sign all"
+        },
         {
             # Allow unauthenticated access to the status service endpoint
             match-request: {