diff --git a/cmd/policygen/linkerd_generator.go b/cmd/policygen/linkerd_generator.go
index 611ebdf..5a1acd4 100644
--- a/cmd/policygen/linkerd_generator.go
+++ b/cmd/policygen/linkerd_generator.go
@@ -15,7 +15,7 @@ func (g LinkerdPolicyGenerator) Init(writer io.Writer) error {
 	// start by generating network authentications
 	for _, network := range g.config.Networks {
 		fmt.Fprintf(os.Stderr, "NetworkAuthentication default/%s\n", network.Name)
-		template := g.policyTemplates.PredefineApplicationPolicyTemplate("linkerd", "network-authentication")
+		template := g.policyTemplates.PredefineApplicationPolicyTemplate("linkerd", "networkauthentication")
 		if template == nil {
 			return fmt.Errorf("Linkerd template for network authentication not found")
 		}
@@ -28,11 +28,6 @@ func (g LinkerdPolicyGenerator) Init(writer io.Writer) error {
 }
 
 func (g LinkerdPolicyGenerator) GenerateNamespace(writer io.Writer, namespace *Namespace) error {
-	// and then the meshTLSAuthentications
-	for _, app := range namespace.Applications {
-		fmt.Fprintf(os.Stderr, "MeshTLSAuthentication %s/%s %v\n",
-			namespace.Name, app.Name, app.ServiceAccounts)
-	}
 	return nil
 }
 
@@ -42,6 +37,18 @@ func (g LinkerdPolicyGenerator) GenerateCommunicationRule(
 	ingress *Ingress,
 	egress *Egress) error {
 
+	// and then the meshTLSAuthentications
+	fmt.Fprintf(os.Stderr, "MeshTLSAuthentication %s/%s %v\n",
+		app.Namespace.Name, app.Name, app.ServiceAccounts)
+	template := g.policyTemplates.PredefineApplicationPolicyTemplate("linkerd", "meshtlsauthentication")
+	if template == nil {
+		return fmt.Errorf("Could not find meshtlsauthentication template")
+	}
+	err := template.Execute(writer, app)
+	if err != nil {
+		return err
+	}
+
 	if len(ingress.Applications)+
 		len(ingress.Networks)+
 		len(egress.Applications)+
diff --git a/cmd/policygen/templates/linkerd/application/meshtlsauthentication.yaml b/cmd/policygen/templates/linkerd/application/meshtlsauthentication.yaml
new file mode 100644
index 0000000..43c276f
--- /dev/null
+++ b/cmd/policygen/templates/linkerd/application/meshtlsauthentication.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: policy.linkerd.io/v1alpha1
+kind: MeshTLSAuthentication
+metadata:
+  name: {{ .Name }}
+  namespace: {{ .Namespace.Name }}
+spec:
+  {{- if .ServiceAccounts }}
+  identityRefs:
+  {{- range $sa := .ServiceAccounts }}
+    - kind: ServiceAccount
+      name: {{ $sa }}
+  {{- end }}
+  {{- else }}
+    fail (printf "no service accounts defined for app %s" .Name )
+  {{- end}}
+  
diff --git a/cmd/policygen/templates/linkerd/application/network-authentication.yaml b/cmd/policygen/templates/linkerd/application/networkauthentication.yaml
similarity index 100%
rename from cmd/policygen/templates/linkerd/application/network-authentication.yaml
rename to cmd/policygen/templates/linkerd/application/networkauthentication.yaml