diff --git a/interop-testing/src/main/java/io/grpc/testing/integration/AbstractInteropTest.java b/interop-testing/src/main/java/io/grpc/testing/integration/AbstractInteropTest.java
index 8a41203e11b..75d9f03690b 100644
--- a/interop-testing/src/main/java/io/grpc/testing/integration/AbstractInteropTest.java
+++ b/interop-testing/src/main/java/io/grpc/testing/integration/AbstractInteropTest.java
@@ -2208,7 +2208,7 @@ protected void assertX500SubjectDn(String tlsInfo) {
     X509Certificate x509cert = (X509Certificate) certificates.get(0);
 
     assertEquals(1, certificates.size());
-    assertEquals(tlsInfo, x509cert.getSubjectDN().toString());
+    assertEquals(tlsInfo, x509cert.getSubjectX500Principal().toString());
   }
 
   protected int operationTimeoutMillis() {
diff --git a/netty/src/test/java/io/grpc/netty/AdvancedTlsTest.java b/netty/src/test/java/io/grpc/netty/AdvancedTlsTest.java
index 5a1afdefd46..c60cb4824dd 100644
--- a/netty/src/test/java/io/grpc/netty/AdvancedTlsTest.java
+++ b/netty/src/test/java/io/grpc/netty/AdvancedTlsTest.java
@@ -198,7 +198,7 @@ public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authTy
                   throw new CertificateException("peerCertChain is empty");
                 }
                 X509Certificate leafCert = peerCertChain[0];
-                if (!leafCert.getSubjectDN().getName().contains("testclient")) {
+                if (!leafCert.getSubjectX500Principal().getName().contains("testclient")) {
                   throw new CertificateException("SslSocketAndEnginePeerVerifier failed");
                 }
               }
@@ -210,7 +210,7 @@ public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authTy
                   throw new CertificateException("peerCertChain is empty");
                 }
                 X509Certificate leafCert = peerCertChain[0];
-                if (!leafCert.getSubjectDN().getName().contains("testclient")) {
+                if (!leafCert.getSubjectX500Principal().getName().contains("testclient")) {
                   throw new CertificateException("SslSocketAndEnginePeerVerifier failed");
                 }
               }
@@ -237,7 +237,8 @@ public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authTy
                   throw new CertificateException("peerCertChain is empty");
                 }
                 X509Certificate leafCert = peerCertChain[0];
-                if (!leafCert.getSubjectDN().getName().contains("*.test.google.com.au")) {
+                if (!leafCert.getSubjectX500Principal().getName()
+                    .contains("*.test.google.com.au")) {
                   throw new CertificateException("SslSocketAndEnginePeerVerifier failed");
                 }
               }
@@ -249,7 +250,8 @@ public void verifyPeerCertificate(X509Certificate[] peerCertChain, String authTy
                   throw new CertificateException("peerCertChain is empty");
                 }
                 X509Certificate leafCert = peerCertChain[0];
-                if (!leafCert.getSubjectDN().getName().contains("*.test.google.com.au")) {
+                if (!leafCert.getSubjectX500Principal().getName()
+                    .contains("*.test.google.com.au")) {
                   throw new CertificateException("SslSocketAndEnginePeerVerifier failed");
                 }
               }
diff --git a/util/src/test/java/io/grpc/util/CertificateUtilsTest.java b/util/src/test/java/io/grpc/util/CertificateUtilsTest.java
index 35923994483..aef99c0f378 100644
--- a/util/src/test/java/io/grpc/util/CertificateUtilsTest.java
+++ b/util/src/test/java/io/grpc/util/CertificateUtilsTest.java
@@ -53,7 +53,7 @@ public void readPemCertFile() throws CertificateException, IOException {
     // Checks some information on the test certificate.
     assertThat(cert[0].getSerialNumber()).isEqualTo(new BigInteger(
         "6c97d344427a93affea089d6855d4ed63dd94f38", 16));
-    assertThat(cert[0].getSubjectDN().getName()).isEqualTo(
+    assertThat(cert[0].getSubjectX500Principal().toString()).isEqualTo(
         "CN=*.test.google.com.au, O=Internet Widgits Pty Ltd, ST=Some-State, C=AU");
   }
 
@@ -74,7 +74,7 @@ public void readCaPemFile() throws CertificateException, IOException {
     // Checks some information on the test certificate.
     assertThat(cert[0].getSerialNumber()).isEqualTo(new BigInteger(
         "5ab3f456f1dccbe2cfe94b9836d88bf600610f9a", 16));
-    assertThat(cert[0].getSubjectDN().getName()).isEqualTo(
+    assertThat(cert[0].getSubjectX500Principal().toString()).isEqualTo(
         "CN=testca, O=Internet Widgits Pty Ltd, ST=Some-State, C=AU");
   }
 
diff --git a/xds/src/main/java/io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine.java b/xds/src/main/java/io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine.java
index ac7302fc38a..3b55b757222 100644
--- a/xds/src/main/java/io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine.java
+++ b/xds/src/main/java/io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngine.java
@@ -334,10 +334,11 @@ private Collection<String> getPrincipalNames() {
             return Collections.unmodifiableCollection(principalNames);
           }
         }
-        if (cert.getSubjectDN() == null || cert.getSubjectDN().getName() == null) {
+        if (cert.getSubjectX500Principal() == null
+            || cert.getSubjectX500Principal().getName() == null) {
           return Collections.singleton("");
         }
-        return Collections.singleton(cert.getSubjectDN().getName());
+        return Collections.singleton(cert.getSubjectX500Principal().getName());
       } catch (SSLPeerUnverifiedException | CertificateParsingException ex) {
         log.log(Level.FINE, "Unexpected getPrincipalNames error.", ex);
         return Collections.singleton("");
diff --git a/xds/src/test/java/io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngineTest.java b/xds/src/test/java/io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngineTest.java
index 44b3407ba0a..4fb38f661e1 100644
--- a/xds/src/test/java/io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngineTest.java
+++ b/xds/src/test/java/io/grpc/xds/internal/rbac/engine/GrpcAuthorizationEngineTest.java
@@ -51,13 +51,13 @@
 import io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine.SourceIpMatcher;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
-import java.security.Principal;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
+import javax.security.auth.x500.X500Principal;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
@@ -279,7 +279,7 @@ public void authenticatedMatcher() throws Exception {
     X509Certificate mockCert = mock(X509Certificate.class);
     when(sslSession.getPeerCertificates()).thenReturn(new X509Certificate[]{mockCert});
     assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.DENY);
-    when(mockCert.getSubjectDN()).thenReturn(mock(Principal.class));
+    when(mockCert.getSubjectX500Principal()).thenReturn(new X500Principal(""));
     assertThat(engine.evaluate(HEADER, serverCall).decision()).isEqualTo(Action.DENY);
     when(mockCert.getSubjectAlternativeNames()).thenReturn(Arrays.<List<?>>asList(
         Arrays.asList(2, "*.test.google.fr")));