return nil, err
	}

	// Create the cert chain by concatenating the intermediate and root certs.
	certChain := caCert + rootCert

	return &corev1.Secret{
		ObjectMeta: metav1.ObjectMeta{
			Name: "cacerts",
		},
		Data: map[string][]byte{
			"ca-cert.pem":    []byte(caCert),
			"ca-key.pem":     []byte(caKey),
			"cert-chain.pem": []byte(certChain),
			"root-cert.pem":  []byte(rootCert),
		},
	}, nil

	if features.SkipValidateTrustDomain {
		return nil
	}

	tds := append([]string{meshConfig.TrustDomain}, meshConfig.TrustDomainAliases...)
	for _, cacert := range meshConfig.GetCaCertificates() {
		tds = append(tds, cacert.GetTrustDomains()...)
	}
	return dedupTrustDomains(tds)
}

func dedupTrustDomains(tds []string) []string {
	known := sets.New[string]()
	deduped := make([]string, 0, len(tds))

	return CreateCustomCASecret(ctx,
		"ca-cert.pem", "ca-key.pem",
		"cert-chain.pem", "root-cert.pem")
}

// CreateCASecretAlt creates a k8s secret "cacerts" to store the CA key and cert using an alternative set of certs.
func CreateCASecretAlt(ctx resource.Context) error {
	return CreateCustomCASecret(ctx,
		"ca-cert-alt.pem", "ca-key-alt.pem",
		"cert-chain-alt.pem", "root-cert-alt.pem")
}

			// Create a valid kubernetes secret to provision key/cert for sidecar.
			ingressutil.CreateIngressKubeSecretInNamespace(t, credNameGeneric, ingressutil.Mtls, ingressutil.IngressCredential{
				Certificate: file.AsStringOrFail(t, path.Join(env.IstioSrc, "tests/testdata/certs/dns/cert-chain.pem")),
				PrivateKey:  file.AsStringOrFail(t, path.Join(env.IstioSrc, "tests/testdata/certs/dns/key.pem")),

[alt_names]
URI = $san
EOF

certchain="$FINAL_DIR"/cert-chain.pem
cacert="$FINAL_DIR"/ca-cert.pem
cakey="$FINAL_DIR"/ca-key.pem
rootcert="$FINAL_DIR"/root-cert.pem

if [[ "$rootselect" = "use-alternative-root" ]] ; then
  certchain="$FINAL_DIR"/cert-chain-alt.pem
  cacert="$FINAL_DIR"/ca-cert-alt.pem
  cakey="$FINAL_DIR"/ca-key-alt.pem
  rootcert="$FINAL_DIR"/root-cert-alt.pem
fi

{{ template "base" .KubeHome }}
readonly ETCD_APISERVER_CA_KEY={{.CAKey}}
readonly ETCD_APISERVER_CA_CERT={{.CACert}}
readonly ETCD_APISERVER_SERVER_KEY={{.APIServerKey}}
readonly ETCD_APISERVER_SERVER_CERT={{.APIServerCert}}
readonly ETCD_APISERVER_CLIENT_KEY={{.ETCDKey}}
readonly ETCD_APISERVER_CLIENT_CERT={{.ETCDCert}}
readonly ETCD_SERVERS={{.ETCDServers}}
readonly ETCD_APISERVER_CA_CERT_PATH={{.CACertPath}}

			}

			certsphase.CheckCertificatePeriodValidity(caCert.BaseName, caCertData)

			if err := pkiutil.VerifyCertChain(certData, intermediates, caCertData); err != nil {
				return errors.Wrapf(err, "[certs] certificate %s not signed by CA certificate %s", cert.BaseName, caCert.BaseName)
			}

			fmt.Printf("[certs] Using existing %s certificate and key on disk\n", cert.BaseName)
			return nil
		}

}

// SetupPkiDirWithCertificateAuthority is a utility function for kubeadm testing that creates a
// CertificateAuthority cert/key pair into /pki subfolder of a given temporary directory.
// The function returns the path of the created pki.
func SetupPkiDirWithCertificateAuthority(t *testing.T, tmpdir string) string {
	caCert, caKey := certtestutil.SetupCertificateAuthority(t)

	certDir := filepath.Join(tmpdir, "pki")

current-context: user2@kubernetes
kind: Config
preferences: {}
users:
- name: user2
  user:
    token: cba
`
)

type configClient struct {
	clusterName string
	userName    string
	serverURL   string
	caCert      []byte
}

type configClientWithCerts struct {
	clientKey  []byte
	clientCert []byte
}

type configClientWithToken struct {
	token string
}

func TestCreateWithCerts(t *testing.T) {

		want    x509.Certificate
		wantErr string
	}{
		{
			name:   "ca info",
			policy: PermissiveSigningPolicy{TTL: time.Hour, Now: nowFunc},
			want: x509.Certificate{
				Issuer:                caCert.Subject,
				AuthorityKeyId:        caCert.SubjectKeyId,
				NotBefore:             now,
				NotAfter:              now.Add(1 * time.Hour),
				BasicConstraintsValid: true,
			},
		},
		{
			name:   "key usage",