switch {
	case !csr.DeletionTimestamp.IsZero():
		log.Info("CSR has been deleted. Ignoring.")
	case csr.Spec.SignerName == "":
		log.Info("CSR does not have a signer name. Ignoring.")
	case !exist:
		log.Infof("CSR signer name does not match. Ignoring. signer-name: %s, have %v", csr.Spec.SignerName, strings.Join(maps.Keys(s.signers), ","))
	case csr.Status.Certificate != nil:

	s.faultInjectLock.Unlock()
	return empty
}

// CreateCertificate handles CSR.
func (s *CAServer) CreateCertificate(ctx context.Context, request *pb.IstioCertificateRequest) (
	*pb.IstioCertificateResponse, error,
) {
	caServerLog.Infof("received CSR request")
	if s.shouldReject() {
		caServerLog.Info("force rejecting CSR request")
		return nil, status.Error(codes.Unavailable, "CA server is not available")
	}

openssl x509 -req -in caCertInter.csr -CA caCert.pem -CAkey caKey.pem -CAcreateserial -out caCertInter.pem -days 100000 -extensions v3_ca -extfile intermediate_ca.conf

# Create an intermediate certificate authority with sha1 signature
openssl req -new -nodes -key caKeyInter.pem -days 100000 -out caCertInterSHA1.csr -subj "/CN=${CN_BASE}_intermediate_ca"

			} else {
				t.Errorf("%s: failed to gen CSR", id)
			}
		}

		pemBlock, _ := pem.Decode(csrPem)
		if pemBlock == nil {
			t.Fatalf("%s: failed to decode csr", id)
		}
		csr, err := x509.ParseCertificateRequest(pemBlock.Bytes)
		if err != nil {
			t.Fatalf("%s: failed to parse csr", id)
		}
		if err = csr.CheckSignature(); err != nil {
			t.Errorf("%s: csr signature is invalid", id)
		}

openssl req -new -key root-key.pem -out root-cert.csr -sha256 <<EOF
US
California
Sunnyvale
Istio
Test
Root CA
******@****.***


EOF
openssl x509 -req -days 3650 -in root-cert.csr -sha256 -signkey root-key.pem -out root-cert.pem

# Intermediate CA
#openssl genrsa -out int-key.pem 4096
openssl req -new -key int-key.pem -out int-cert.csr -config int-cert.cfg -batch -sha256

	handler := func(ctx context.Context, csr *certificates.CertificateSigningRequest) error {
		csr.Status.Conditions = append(csr.Status.Conditions, certificates.CertificateSigningRequestCondition{
			Type:    certificates.CertificateApproved,
			Reason:  "test reason",
			Message: "test message",
		})
		_, err := client.CertificatesV1().CertificateSigningRequests().UpdateApproval(context.TODO(), csr.Name, csr, metav1.UpdateOptions{})
		if err != nil {

.SUFFIXES: .csr .pem .conf
.PRECIOUS: %/ca-key.pem %/ca-cert.pem %/cert-chain.pem
.PRECIOUS: %/workload-cert.pem %/key.pem %/workload-cert-chain.pem
.SECONDARY: root-cert.csr root-ca.conf %/cluster-ca.csr %/intermediate.conf

.DEFAULT_GOAL := help

SELF_DIR := $(dir $(lastword $(MAKEFILE_LIST)))

include $(SELF_DIR)common.mk

#------------------------------------------------------------------------
##help:		print this help message
.PHONY: help

cfssl gencert -initca root.csr.json | cfssljson -bare root

cfssl gencert -initca intermediate.csr.json | cfssljson -bare intermediate
cfssl sign -ca root.pem -ca-key root-key.pem -config intermediate.config.json intermediate.csr | cfssljson -bare intermediate

cfssl gencert -ca intermediate.pem -ca-key intermediate-key.pem -config client.config.json --profile=valid   client.csr.json | cfssljson -bare client-valid

				if got, expected := a.Subresource, "approval"; got != expected {
					t.Errorf("got: %v, expected: %v", got, expected)
				}
				csr := a.Object.(*capi.CertificateSigningRequest)
				if len(csr.Status.Conditions) != 1 {
					t.Errorf("expected CSR to have approved condition: %#v", csr)
				}
				c := csr.Status.Conditions[0]
				if got, expected := c.Type, capi.CertificateApproved; got != expected {

openssl req -new -key "${WD}/clientA.key" -out "${WD}/clientA.csr" -subj "/CN=*.example.com" -config "${WD}/client.conf"
openssl x509 -req -days 3650 -CA "${WD}/rootA.crt" -CAkey "${WD}/rootA.key" -set_serial 0 -in "${WD}/clientA.csr" -out "${WD}/clientA.crt" -extensions v3_req -extfile "${WD}/client.conf"

openssl genrsa -out "${WD}/serverA.key" 2048
openssl req -new -key "${WD}/serverA.key" -out "${WD}/serverA.csr" -subj "/CN=*.example.com" -config "${WD}/server.conf"