t.Run(id, func(t *testing.T) {
			certOptions := c.certOptions
			certPem, privPem, err := GenCertKeyFromOptions(certOptions)
			if err != nil {
				t.Errorf("[%s] cert/key generation error: %v", id, err)
			}

			for _, host := range strings.Split(certOptions.Host, ",") {
				c.verifyFields.Host = host
				root := rsaCaCertPem
				if c.certOptions.ECSigAlg != "" {
					root = ecCaCertPem
				}

			certOptions: &CertOptions{
				Host:       "watt",
				TTL:        100 * 365 * 24 * time.Hour,
				Org:        "Juju org",
				IsCA:       false,
				RSAKeySize: 2048,
			},
			expectedErr: "",
		},
		"No SAN EC": {
			caCertFile:    ecRootCertFile,
			caKeyFile:     ecRootKeyFile,
			certChainFile: nil,
			rootCertFile:  ecRootCertFile,
			certOptions: &CertOptions{
				Host:     "watt",

	return opts, nil
}

// MergeCertOptions merges deltaOpts into defaultOpts and returns the merged
// CertOptions. Only called by a self-signed Citadel.
func MergeCertOptions(defaultOpts, deltaOpts CertOptions) CertOptions {
	if len(deltaOpts.Org) > 0 {
		defaultOpts.Org = deltaOpts.Org
	}
	// TODO(JimmyCYJ): merge other fields, e.g. Host, IsDualUse, etc.
	return defaultOpts
}

	cases := map[string]struct {
		forCA         bool
		certOpts      util.CertOptions
		maxTTL        time.Duration
		requestedTTL  time.Duration
		verifyFields  util.VerifyFields
		expectedError string
	}{
		"Workload uses RSA": {
			forCA: false,
			certOpts: util.CertOptions{
				// This value is not used, instead, subjectID should be used in certificate.

	b.cert, _ = ParsePemEncodedCertificate(certBytes)
	privKey, _ := ParsePemEncodedKey(privKeyBytes)
	b.privKey = &privKey
	b.mutex.Unlock()
}

// CertOptions returns the certificate config based on currently stored cert.
func (b *KeyCertBundle) CertOptions() (*CertOptions, error) {
	b.mutex.RLock()
	defer b.mutex.RUnlock()
	ids, err := ExtractIDs(b.cert.Extensions)
	if err != nil {

	// cert options differ from default cert options used by rotator.
	oldCertOrg := "old cert org"
	oldCertRSAKeySize := 2048
	customCertOptions := util.CertOptions{
		TTL:          rotator.config.caCertTTL,
		Org:          oldCertOrg,
		IsCA:         true,
		IsSelfSigned: true,
		RSAKeySize:   oldCertRSAKeySize,
	}

					return err
				}
			}

			// 3. if use cacerts disabled, create `istio-ca-secret`, otherwise create `cacerts`.
			pkiCaLog.Infof("CASecret %s not found, will create one", caCertName)
			options := util.CertOptions{
				TTL:          caCertTTL,
				Org:          org,
				IsCA:         true,
				IsSelfSigned: true,
				RSAKeySize:   caRSAKeySize,
				IsDualUse:    dualUse,
			}

	if err != nil {
		rootCertRotatorLog.Warnf("Failed to generate cert options from existing root certificate (%v), "+
			"new root certificate may not match old root certificate", err)
	}
	options := util.CertOptions{
		TTL:           rotator.config.caCertTTL,
		SignerPrivPem: caSecret.Data[CAPrivateKeyFile],
		Org:           rotator.config.org,
		IsCA:          true,
		IsSelfSigned:  true,

				}
			} else if err != nil {
				t.Fatalf("failed at updateMutatingWebhookConfig: %v", err)
			}
		})
	}
}

func createFakeCsr(t *testing.T) []byte {
	options := pkiutil.CertOptions{
		Host:       "fake.com",
		RSAKeySize: 2048,
		PKCS8Key:   false,
		ECSigAlg:   pkiutil.SupportedECSignatureAlgorithms("ECDSA"),
	}
	csrPEM, _, err := pkiutil.GenCSR(options)
	if err != nil {

		Namespace:      sc.configOptions.WorkloadNamespace,
		ServiceAccount: sc.configOptions.ServiceAccount,
	}

	cacheLog.Debugf("constructed host name for CSR: %s", csrHostName.String())
	options := pkiutil.CertOptions{
		Host:       csrHostName.String(),
		RSAKeySize: sc.configOptions.WorkloadRSAKeySize,
		PKCS8Key:   sc.configOptions.Pkcs8Keys,
		ECSigAlg:   pkiutil.SupportedECSignatureAlgorithms(sc.configOptions.ECCSigAlg),