diff --git a/command/agent/template/template.go b/command/agent/template/template.go
index 3ad82050452..2af3a353dc8 100644
--- a/command/agent/template/template.go
+++ b/command/agent/template/template.go
@@ -221,12 +221,13 @@ func newRunnerConfig(sc *ServerConfig, templates ctconfig.TemplateConfigs) (*ctc
 		skipVerify := sc.VaultConf.TLSSkipVerify
 		verify := !skipVerify
 		conf.Vault.SSL = &ctconfig.SSLConfig{
-			Enabled: pointerutil.BoolPtr(true),
-			Verify:  &verify,
-			Cert:    &sc.VaultConf.ClientCert,
-			Key:     &sc.VaultConf.ClientKey,
-			CaCert:  &sc.VaultConf.CACert,
-			CaPath:  &sc.VaultConf.CAPath,
+			Enabled:    pointerutil.BoolPtr(true),
+			Verify:     &verify,
+			Cert:       &sc.VaultConf.ClientCert,
+			Key:        &sc.VaultConf.ClientKey,
+			CaCert:     &sc.VaultConf.CACert,
+			CaPath:     &sc.VaultConf.CAPath,
+			ServerName: &sc.VaultConf.TLSServerName,
 		}
 	}
 
diff --git a/command/agent/template/template_test.go b/command/agent/template/template_test.go
index 9d71bcc547b..c0de3273ded 100644
--- a/command/agent/template/template_test.go
+++ b/command/agent/template/template_test.go
@@ -3,11 +3,13 @@ package template
 import (
 	"context"
 	"encoding/json"
+	"encoding/pem"
 	"fmt"
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
 	"os"
+	"path/filepath"
 	"testing"
 
 	ctconfig "github.com/hashicorp/consul-template/config"
@@ -122,11 +124,7 @@ func TestServerRun(t *testing.T) {
 				ExitAfterAuth: true,
 			}
 
-			var server *Server
-			server = NewServer(&sc)
-			if ts == nil {
-				t.Fatal("nil server returned")
-			}
+			server := NewServer(&sc)
 
 			go server.Run(ctx, templateTokenCh, templatesToRender)
 
@@ -162,6 +160,62 @@ func TestServerRun(t *testing.T) {
 	}
 }
 
+func TestServerRunTLS(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("", "agent-tests")
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer os.RemoveAll(tmpDir)
+
+	var gotTLSServerName string
+	ts := httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		gotTLSServerName = r.TLS.ServerName
+		fmt.Fprintln(w, jsonResponse)
+	}))
+	defer ts.Close()
+
+	templateTokenCh := make(chan string, 1)
+	templatesToRender := []*ctconfig.TemplateConfig{
+		{
+			Destination: pointerutil.StringPtr(filepath.Join(tmpDir, "render_01")),
+			Contents:    pointerutil.StringPtr(templateContents),
+		},
+	}
+
+	caCert := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: ts.Certificate().Raw})
+	caCertFile := filepath.Join(tmpDir, "ca.pem")
+	if err := ioutil.WriteFile(caCertFile, caCert, 0600); err != nil {
+		t.Fatal(err)
+	}
+
+	sc := ServerConfig{
+		Logger: logging.NewVaultLogger(hclog.Trace),
+		VaultConf: &config.Vault{
+			CACert:  caCertFile,
+			Address: ts.URL,
+			// example.com is a name on the net/http localhost cert, see
+			// https://github.com/golang/go/blob/go1.14/src/net/http/internal/testcert.go#L12
+			TLSServerName: "example.com",
+		},
+		LogLevel:      hclog.Trace,
+		LogWriter:     hclog.DefaultOutput,
+		ExitAfterAuth: true,
+	}
+
+	server := NewServer(&sc)
+
+	go server.Run(context.Background(), templateTokenCh, templatesToRender)
+
+	// send a dummy value to trigger the internal Runner to query for secret
+	// info
+	templateTokenCh <- "test"
+	<-server.DoneCh
+
+	if want := "example.com"; gotTLSServerName != want {
+		t.Errorf("got request TLS ServerName %q, want %q", gotTLSServerName, want)
+	}
+}
+
 func handleRequest(w http.ResponseWriter, r *http.Request) {
 	fmt.Fprintln(w, jsonResponse)
 }