Subject Name in CSR

[dondsouza]

Hello, I am trying to integrate Istio with the Venafi TPP CA using cert-manager and cert-manager-istio-csr. I was installing cert-manager-istio-csr using the instruction outlined here using helm.

helm install -n cert-manager cert-manager-istio-csr jetstack/cert-manager-istio-csr --set "app.tls.rootCAFile=/var/run/secrets/istio-csr/ca.pem" --set "volumeMounts[0].name=root-ca" --set "volumeMounts[0].mountPath=/var/run/secrets/istio-csr" --set "volumes[0].name=root-ca" --set "volumes[0].secret.secretName=istio-root-ca" --set "app.logLevel=5" --set "app.tls.trustDomain=REDACTED" --set "app.certmanager.preserveCertificateRequests=true"

However, the deployment is failing while trying to fetch the initial serving certificate. The error I get is from Venafi TPP that the "common name is not allowed in this policy". I had a look at the CSR and noticed that the "subject" name appearing as "O =".

Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: O =

Asper my Venafi TPP contact the Subject name should be the same as the SAN name. I even tried setting the "tls.certificateDNSNames" to the appropriate sub-domain but the value is appearing in the SAN but not in the Subject Name. Am I missing anything here?

cert-manager-istio-csr version: v0.5.0
cert-manager version: v1.9.2
k8s version: EKS 1.22

[dondsouza]

Closing this "issue" as it seems to be "expected" behavior and cannot be overridden.

#168