diff --git a/etcdmain/grpc_proxy.go b/etcdmain/grpc_proxy.go
index 50e3d9a64..e79dce776 100644
--- a/etcdmain/grpc_proxy.go
+++ b/etcdmain/grpc_proxy.go
@@ -181,7 +181,11 @@ func startGRPCProxy(cmd *cobra.Command, args []string) {
 	}
 	grpclog.SetLoggerV2(gl)
 
-	tlsinfo := newTLS(grpcProxyListenCA, grpcProxyListenCert, grpcProxyListenKey)
+	// The proxy itself (ListenCert) can have not-empty CN.
+	// The empty CN is required for grpcProxyCert.
+	// Please see https://github.com/etcd-io/etcd/issues/11970#issuecomment-687875315  for more context.
+	tlsinfo := newTLS(grpcProxyListenCA, grpcProxyListenCert, grpcProxyListenKey, false)
+
 	if tlsinfo == nil && grpcProxyListenAutoTLS {
 		host := []string{"https://" + grpcProxyListenAddr}
 		dir := filepath.Join(grpcProxyDataDir, "fixtures", "proxy")
@@ -320,7 +324,8 @@ func newClientCfg(lg *zap.Logger, eps []string) (*clientv3.Config, error) {
 		cfg.MaxCallRecvMsgSize = grpcMaxCallRecvMsgSize
 	}
 
-	tls := newTLS(grpcProxyCA, grpcProxyCert, grpcProxyKey)
+	lg.Info("grpcProxyCA for connections to etcd-server")
+	tls := newTLS(grpcProxyCA, grpcProxyCert, grpcProxyKey, true)
 	if tls == nil && grpcProxyInsecureSkipTLSVerify {
 		tls = &transport.TLSInfo{}
 	}
@@ -339,11 +344,11 @@ func newClientCfg(lg *zap.Logger, eps []string) (*clientv3.Config, error) {
 	return &cfg, nil
 }
 
-func newTLS(ca, cert, key string) *transport.TLSInfo {
+func newTLS(ca, cert, key string, requireEmptyCN bool) *transport.TLSInfo {
 	if ca == "" && cert == "" && key == "" {
 		return nil
 	}
-	return &transport.TLSInfo{TrustedCAFile: ca, CertFile: cert, KeyFile: key, EmptyCN: true}
+	return &transport.TLSInfo{TrustedCAFile: ca, CertFile: cert, KeyFile: key, EmptyCN: requireEmptyCN}
 }
 
 func mustListenCMux(lg *zap.Logger, tlsinfo *transport.TLSInfo) cmux.CMux {
diff --git a/pkg/transport/listener.go b/pkg/transport/listener.go
index af0bc1e5d..f1522b1ce 100644
--- a/pkg/transport/listener.go
+++ b/pkg/transport/listener.go
@@ -437,7 +437,7 @@ func (info TLSInfo) ClientConfig() (*tls.Config, error) {
 			return tls.X509KeyPair(certPEMBlock, keyPEMBlock)
 		})
 		if hasNonEmptyCN {
-			return nil, fmt.Errorf("cert has non empty Common Name (%s)", cn)
+			return nil, fmt.Errorf("cert has non empty Common Name (%s): %s", cn, info.CertFile)
 		}
 	}