diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go
index 185488a7a109..e99100657858 100644
--- a/builtin/logical/pki/cert_util.go
+++ b/builtin/logical/pki/cert_util.go
@@ -659,7 +659,7 @@ func validateNames(b *backend, data *inputBundle, names []string) string {
 
 				if data.role.AllowGlobDomains &&
 					strings.Contains(currDomain, "*") &&
-					glob.Glob(currDomain, name) {
+					glob.Glob(strings.ToLower(currDomain), strings.ToLower(name)) {
 					valid = true
 					break
 				}
diff --git a/builtin/logical/pki/cert_util_test.go b/builtin/logical/pki/cert_util_test.go
index 7fb811cb8fcf..82a4f2a50bde 100644
--- a/builtin/logical/pki/cert_util_test.go
+++ b/builtin/logical/pki/cert_util_test.go
@@ -174,6 +174,24 @@ func TestPki_PermitFQDNs(t *testing.T) {
 			expectedDnsNames: []string{"Example.Net", "eXaMPLe.COM"},
 			expectedEmails:   []string{},
 		},
+		"case insensitivity subdomain validation": {
+			input: &inputBundle{
+				apiData: &framework.FieldData{
+					Schema: fields,
+					Raw: map[string]interface{}{
+						"common_name": "SUB.EXAMPLE.COM",
+						"ttl":         3600,
+					},
+				},
+				role: &roleEntry{
+					AllowedDomains:   []string{"example.com", "*.Example.com"},
+					AllowGlobDomains: true,
+					MaxTTL:           3600,
+				},
+			},
+			expectedDnsNames: []string{"SUB.EXAMPLE.COM"},
+			expectedEmails:   []string{},
+		},
 		"case email as AllowedDomain with bare domains": {
 			input: &inputBundle{
 				apiData: &framework.FieldData{
diff --git a/changelog/22126.txt b/changelog/22126.txt
new file mode 100644
index 000000000000..e6633ec3a050
--- /dev/null
+++ b/changelog/22126.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/pki: allowed_domains are now compared in a case-insensitive manner if they use glob patterns
+```
\ No newline at end of file