}

	// Create the cert chain by concatenating the intermediate and root certs.
	certChain := caCert + rootCert

	return &corev1.Secret{
		ObjectMeta: metav1.ObjectMeta{
			Name: "cacerts",
		},
		Data: map[string][]byte{
			"ca-cert.pem":    []byte(caCert),
			"ca-key.pem":     []byte(caKey),
			"cert-chain.pem": []byte(certChain),
			"root-cert.pem":  []byte(rootCert),
		},
	}, nil

		return nil, status.Error(codes.Unavailable, "CA server is not available")
	}
	if s.sendEmpty() {
		caServerLog.Info("force sending empty cert chain in CSR response")
		response := &pb.IstioCertificateResponse{
			CertChain: []string{},
		}
		return response, nil
	}
	id := []string{"client-identity"}
	if len(s.Authenticators) > 0 {
		caller, err := security.Authenticate(ctx, s.Authenticators)
		if caller == nil || err != nil {

		if caller == nil {
			return nil, status.Error(codes.Unauthenticated, err.Error())
		}
	}
	if ca.Err == nil {
		return &pb.IstioCertificateResponse{CertChain: ca.Certs}, nil
	}
	return nil, ca.Err
}

func tlsOptions(t *testing.T) grpc.ServerOption {
	t.Helper()
	cert, err := tls.LoadX509KeyPair(

		cert.UsageKeyEncipherment,
		cert.UsageServerAuth,
		cert.UsageClientAuth,
	}
	certChain, _, err := chiron.SignCSRK8s(r.csrInterface, csrPEM, certSigner, usages, "", caCertFile, true, false, requestedLifetime)
	if err != nil {
		return nil, raerror.NewError(raerror.CertGenError, err)
	}
	return certChain, err
}

// Sign takes a PEM-encoded CSR and cert opts, and returns a certificate signed by k8s CA.

    {
      "identity": "spiffe://cluster.local/ns/istio-system/sa/ztunnel",
      "state": "Initializing",
      "certChain": []
    },
    {
      "identity": "spiffe://cluster.local/ns/istio-system/sa/another-sa",
      "state": "Unavailable: the identity is no longer needed",
      "certChain": []
    },
    {
      "identity": "spiffe://cluster.local/ns/istio-system/sa/istiod",

				t.Errorf("NewSelfSignedIstioCAOptions got unexpected error: %v", err)
			}
			cert, privateKey, certChain, rootCert := caOpts.KeyCertBundle.GetAllPem()
			if !bytes.Equal(cert, rootCert) {
				t.Error("Root cert and cert do not match")
			}
			// self signed certs do not contain cert chain
			if len(certChain) > 0 {
				t.Error("Cert chain should not exist")
			}
			rootCertCh <- rootCert

		}
	}
	if len(rootCertBytes) != 0 {
		respCertChain = append(respCertChain, string(rootCertBytes))
	}
	response := &pb.IstioCertificateResponse{
		CertChain: respCertChain,
	}
	s.monitoring.Success.Increment()
	serverCaLog.Debugf("CSR successfully signed, sans %v.", caller.Identities)
	return response, nil
}

// Adds the "istio-generated" key if the secret name is `cacerts`.
func BuildSecret(scrtName, namespace string, certChain, privateKey, rootCert, caCert, caPrivateKey []byte, secretType v1.SecretType) *v1.Secret {
	secret := &v1.Secret{
		Data: map[string][]byte{
			CertChainFile:    certChain,
			PrivateKeyFile:   privateKey,
			RootCertFile:     rootCert,
			CACertFile:       caCert,
			CAPrivateKeyFile: caPrivateKey,

// KeyCertBundle stores the cert, private key, cert chain and root cert for an entity. It is thread safe.
// The cert and privKey should be a public/private key pair.
// The cert should be verifiable from the rootCert through the certChain.
// cert and priveKey are pointers to the cert/key parsed from certBytes/privKeyBytes.
type KeyCertBundle struct {
	certBytes      []byte
	cert           *x509.Certificate
	privKeyBytes   []byte

	rootResource := security.RootCertReqResourceName
	if sds {
		workloadResource = sc.existingCertificateFile.GetResourceName()
		rootResource = sc.existingCertificateFile.GetRootResourceName()
	}

	certchain, err := os.ReadFile(sc.existingCertificateFile.CertificatePath)
	if err != nil {
		t.Fatalf("Error reading the cert chain file: %v", err)
	}
	privateKey, err := os.ReadFile(sc.existingCertificateFile.PrivateKeyPath)