revert commits on master (#6413)

2019-08-27 17:45:58 -04:00 · 2019-08-27 17:45:58 -04:00 · e4e9381851
parent 2838a1550a
commit e4e9381851
22 changed files with 243 additions and 486 deletions
--- a/agent/agent.go
+++ b/agent/agent.go
@ -536,7 +536,7 @@ func (a *Agent) setupClientAutoEncryptCache(reply *structs.SignedResponse) (*str
 		QueryOptions: structs.QueryOptions{Token: a.tokens.AgentToken()},
 	}
-	// prepopulate roots cache
+	// prepolutate roots cache
 	rootRes := cache.FetchResult{Value: &reply.ConnectCARoots, Index: reply.ConnectCARoots.QueryMeta.Index}
 	if err := a.cache.Prepopulate(cachetype.ConnectCARootName, rootRes, a.config.Datacenter, a.tokens.AgentToken(), rootsReq.CacheInfo().Key); err != nil {
 		return nil, nil, err
@ -546,11 +546,9 @@ func (a *Agent) setupClientAutoEncryptCache(reply *structs.SignedResponse) (*str
 		Datacenter: a.config.Datacenter,
 		Token:      a.tokens.AgentToken(),
 		Agent:      a.config.NodeName,
 		Domain:     a.config.DNSDomain,
 		NodeName:   a.config.NodeName,
 	}
-	// prepopulate leaf cache
+	// prepolutate leaf cache
 	certRes := cache.FetchResult{Value: &reply.IssuedCert, Index: reply.ConnectCARoots.QueryMeta.Index}
 	if err := a.cache.Prepopulate(cachetype.ConnectCALeafName, certRes, a.config.Datacenter, a.tokens.AgentToken(), leafReq.Key()); err != nil {
 		return nil, nil, err
--- a/agent/agent_endpoint.go
+++ b/agent/agent_endpoint.go
@ -1249,21 +1249,8 @@ func (s *HTTPServer) AgentConnectCALeafCert(resp http.ResponseWriter, req *http.
 	// not the ID of the service instance.
 	serviceName := strings.TrimPrefix(req.URL.Path, "/v1/agent/connect/ca/leaf/")
 	serviceID := serviceName
 	allServices := s.agent.State.Services()
 	for _, service := range allServices {
 		if service.Service == serviceName {
 			serviceID = service.ID
 			break
 		}
 	}
 	args := cachetype.ConnectCALeafRequest{
 		Service: serviceName, // Need name not ID
 		ServiceID:  serviceID,
 		Datacenter: s.agent.config.Datacenter,
 		Domain:     s.agent.config.DNSDomain,
 		NodeName:   s.agent.config.NodeName,
 	}
 	var qOpts structs.QueryOptions
--- a/agent/cache-types/connect_ca_leaf.go
+++ b/agent/cache-types/connect_ca_leaf.go
@ -503,7 +503,6 @@ func (c *ConnectCALeaf) generateNewLeaf(req *ConnectCALeafRequest,
 	// Build the cert uri
 	var id connect.CertURI
 	var commonName string
 	if req.Service != "" {
 		id = &connect.SpiffeIDService{
 			Host:       roots.TrustDomain,
@ -511,14 +510,12 @@ func (c *ConnectCALeaf) generateNewLeaf(req *ConnectCALeafRequest,
 			Namespace:  "default",
 			Service:    req.Service,
 		}
 		commonName = fmt.Sprintf("%s.%s.service.%s.%s.%s", req.NodeName, req.ServiceID, roots.TrustDomain[:8], req.Datacenter, req.Domain)
 	} else if req.Agent != "" {
 		id = &connect.SpiffeIDAgent{
 			Host:       roots.TrustDomain,
 			Datacenter: req.Datacenter,
 			Agent:      req.Agent,
 		}
 		commonName = fmt.Sprintf("%s.agent.%s.%s.%s", req.NodeName, roots.TrustDomain[:8], req.Datacenter, req.Domain)
 	} else {
 		return result, errors.New("URI must be either service or agent")
 	}
@ -530,7 +527,7 @@ func (c *ConnectCALeaf) generateNewLeaf(req *ConnectCALeafRequest,
 	}
 	// Create a CSR.
-	csr, err := connect.CreateCSR(id, commonName, pk)
+	csr, err := connect.CreateCSR(id, pk)
 	if err != nil {
 		return result, err
 	}
@ -619,11 +616,8 @@ func (c *ConnectCALeaf) SupportsBlocking() bool {
 type ConnectCALeafRequest struct {
 	Token         string
 	Datacenter    string
 	Domain        string
 	Service       string // Service name, not ID
 	ServiceID     string
 	Agent         string // Agent name, not ID
 	NodeName      string
 	MinQueryIndex uint64
 	MaxQueryTime  time.Duration
 }
--- a/agent/connect/ca/mock_Provider.go
+++ b/agent/connect/ca/mock_Provider.go
@ -66,13 +66,13 @@ func (_m *MockProvider) Cleanup() error {
 	return r0
 }
-// Configure provides a mock function with given fields: clusterID, datacenterName, dnsDomain, isRoot, rawConfig
+// Configure provides a mock function with given fields: clusterId, isRoot, rawConfig
-func (_m *MockProvider) Configure(clusterId string, datacenterName string, dnsDomain string, isRoot bool, rawConfig map[string]interface{}) error {
+func (_m *MockProvider) Configure(clusterId string, isRoot bool, rawConfig map[string]interface{}) error {
-	ret := _m.Called(clusterId, datacenterName, dnsDomain, isRoot, rawConfig)
+	ret := _m.Called(clusterId, isRoot, rawConfig)
 	var r0 error
-	if rf, ok := ret.Get(0).(func(string, string, string, bool, map[string]interface{}) error); ok {
+	if rf, ok := ret.Get(0).(func(string, bool, map[string]interface{}) error); ok {
-		r0 = rf(clusterId, datacenterName, dnsDomain, isRoot, rawConfig)
+		r0 = rf(clusterId, isRoot, rawConfig)
 	} else {
 		r0 = ret.Error(0)
 	}
--- a/agent/connect/ca/plugin/plugin_test.go
+++ b/agent/connect/ca/plugin/plugin_test.go
@ -18,11 +18,11 @@ func TestProvider_Configure(t *testing.T) {
 		require := require.New(t)
 		// Basic configure
-		m.On("Configure", "foo", "foo", "consul", false, map[string]interface{}{
+		m.On("Configure", "foo", false, map[string]interface{}{
 			"string": "bar",
 			"number": float64(42), // because json
 		}).Once().Return(nil)
-		require.NoError(p.Configure("foo", "foo", "consul", false, map[string]interface{}{
+		require.NoError(p.Configure("foo", false, map[string]interface{}{
 			"string": "bar",
 			"number": float64(42),
 		}))
@ -30,8 +30,8 @@ func TestProvider_Configure(t *testing.T) {
 		// Try with an error
 		m.Mock = mock.Mock{}
-		m.On("Configure", "foo", "foo", "consul", false, map[string]interface{}{}).Once().Return(errors.New("hello world"))
+		m.On("Configure", "foo", false, map[string]interface{}{}).Once().Return(errors.New("hello world"))
-		err := p.Configure("foo", "foo", "consul", false, map[string]interface{}{})
+		err := p.Configure("foo", false, map[string]interface{}{})
 		require.Error(err)
 		require.Contains(err.Error(), "hello")
 		m.AssertExpectations(t)
@ -42,7 +42,7 @@ func TestProvider_GenerateRoot(t *testing.T) {
 	testPlugin(t, func(t *testing.T, m *ca.MockProvider, p ca.Provider) {
 		require := require.New(t)
-		// Try with no error
+		// Try cleanup with no error
 		m.On("GenerateRoot").Once().Return(nil)
 		require.NoError(p.GenerateRoot())
 		m.AssertExpectations(t)
@ -61,7 +61,7 @@ func TestProvider_ActiveRoot(t *testing.T) {
 	testPlugin(t, func(t *testing.T, m *ca.MockProvider, p ca.Provider) {
 		require := require.New(t)
-		// Try with no error
+		// Try cleanup with no error
 		m.On("ActiveRoot").Once().Return("foo", nil)
 		actual, err := p.ActiveRoot()
 		require.NoError(err)
@ -82,7 +82,7 @@ func TestProvider_GenerateIntermediateCSR(t *testing.T) {
 	testPlugin(t, func(t *testing.T, m *ca.MockProvider, p ca.Provider) {
 		require := require.New(t)
-		// Try with no error
+		// Try cleanup with no error
 		m.On("GenerateIntermediateCSR").Once().Return("foo", nil)
 		actual, err := p.GenerateIntermediateCSR()
 		require.NoError(err)
@ -103,7 +103,7 @@ func TestProvider_SetIntermediate(t *testing.T) {
 	testPlugin(t, func(t *testing.T, m *ca.MockProvider, p ca.Provider) {
 		require := require.New(t)
-		// Try with no error
+		// Try cleanup with no error
 		m.On("SetIntermediate", "foo", "bar").Once().Return(nil)
 		err := p.SetIntermediate("foo", "bar")
 		require.NoError(err)
@ -123,7 +123,7 @@ func TestProvider_ActiveIntermediate(t *testing.T) {
 	testPlugin(t, func(t *testing.T, m *ca.MockProvider, p ca.Provider) {
 		require := require.New(t)
-		// Try with no error
+		// Try cleanup with no error
 		m.On("ActiveIntermediate").Once().Return("foo", nil)
 		actual, err := p.ActiveIntermediate()
 		require.NoError(err)
@ -144,7 +144,7 @@ func TestProvider_GenerateIntermediate(t *testing.T) {
 	testPlugin(t, func(t *testing.T, m *ca.MockProvider, p ca.Provider) {
 		require := require.New(t)
-		// Try with no error
+		// Try cleanup with no error
 		m.On("GenerateIntermediate").Once().Return("foo", nil)
 		actual, err := p.GenerateIntermediate()
 		require.NoError(err)
@ -166,7 +166,7 @@ func TestProvider_Sign(t *testing.T) {
 		require := require.New(t)
 		// Create a CSR
-		csrPEM, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"), "node1.web.service.dc1.consul.")
+		csrPEM, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))
 		block, _ := pem.Decode([]byte(csrPEM))
 		csr, err := x509.ParseCertificateRequest(block.Bytes)
 		require.NoError(err)
@ -197,7 +197,7 @@ func TestProvider_SignIntermediate(t *testing.T) {
 		require := require.New(t)
 		// Create a CSR
-		csrPEM, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"), "node1.web.service.dc1.consul.")
+		csrPEM, _ := connect.TestCSR(t, connect.TestSpiffeIDService(t, "web"))
 		block, _ := pem.Decode([]byte(csrPEM))
 		csr, err := x509.ParseCertificateRequest(block.Bytes)
 		require.NoError(err)
--- a/agent/connect/ca/plugin/provider.pb.go
+++ b/agent/connect/ca/plugin/provider.pb.go
@ -1,17 +1,19 @@
 // Code generated by protoc-gen-gogo. DO NOT EDIT.
 // source: agent/connect/ca/plugin/provider.proto
-package plugin
+package plugin // import "github.com/hashicorp/consul/agent/connect/ca/plugin"
 import proto "github.com/golang/protobuf/proto"
 import fmt "fmt"
 import math "math"
 import (
-	context "context"
+	context "golang.org/x/net/context"
 	fmt "fmt"
 	proto "github.com/golang/protobuf/proto"
 	grpc "google.golang.org/grpc"
 	io "io"
 	math "math"
 )
 import io "io"
 // Reference imports to suppress errors if they are not otherwise used.
 var _ = proto.Marshal
 var _ = fmt.Errorf
@ -25,10 +27,8 @@ const _ = proto.ProtoPackageIsVersion2 // please upgrade the proto package
 type ConfigureRequest struct {
 	ClusterId            string   `protobuf:"bytes,1,opt,name=cluster_id,json=clusterId,proto3" json:"cluster_id,omitempty"`
-	DatacenterName       string   `protobuf:"bytes,2,opt,name=datacenter_name,json=datacenterName,proto3" json:"datacenter_name,omitempty"`
+	IsRoot               bool     `protobuf:"varint,2,opt,name=is_root,json=isRoot,proto3" json:"is_root,omitempty"`
-	DnsDomain            string   `protobuf:"bytes,3,opt,name=dns_domain,json=dnsDomain,proto3" json:"dns_domain,omitempty"`
+	Config               []byte   `protobuf:"bytes,3,opt,name=config,proto3" json:"config,omitempty"`
 	IsRoot               bool     `protobuf:"varint,4,opt,name=is_root,json=isRoot,proto3" json:"is_root,omitempty"`
 	Config               []byte   `protobuf:"bytes,5,opt,name=config,proto3" json:"config,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`
 	XXX_unrecognized     []byte   `json:"-"`
 	XXX_sizecache        int32    `json:"-"`
@ -38,7 +38,7 @@ func (m *ConfigureRequest) Reset()         { *m = ConfigureRequest{} }
 func (m *ConfigureRequest) String() string { return proto.CompactTextString(m) }
 func (*ConfigureRequest) ProtoMessage()    {}
 func (*ConfigureRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_94daeb7181770839, []int{0}
+	return fileDescriptor_provider_8ff2d2670790989c, []int{0}
 }
 func (m *ConfigureRequest) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@ -55,8 +55,8 @@ func (m *ConfigureRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, er
 		return b[:n], nil
 	}
 }
-func (m *ConfigureRequest) XXX_Merge(src proto.Message) {
+func (dst *ConfigureRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ConfigureRequest.Merge(m, src)
+	xxx_messageInfo_ConfigureRequest.Merge(dst, src)
 }
 func (m *ConfigureRequest) XXX_Size() int {
 	return m.Size()
@ -74,20 +74,6 @@ func (m *ConfigureRequest) GetClusterId() string {
 	return ""
 }
 func (m *ConfigureRequest) GetDatacenterName() string {
 	if m != nil {
 		return m.DatacenterName
 	}
 	return ""
 }
 func (m *ConfigureRequest) GetDnsDomain() string {
 	if m != nil {
 		return m.DnsDomain
 	}
 	return ""
 }
 func (m *ConfigureRequest) GetIsRoot() bool {
 	if m != nil {
 		return m.IsRoot
@ -114,7 +100,7 @@ func (m *SetIntermediateRequest) Reset()         { *m = SetIntermediateRequest{}
 func (m *SetIntermediateRequest) String() string { return proto.CompactTextString(m) }
 func (*SetIntermediateRequest) ProtoMessage()    {}
 func (*SetIntermediateRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_94daeb7181770839, []int{1}
+	return fileDescriptor_provider_8ff2d2670790989c, []int{1}
 }
 func (m *SetIntermediateRequest) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@ -131,8 +117,8 @@ func (m *SetIntermediateRequest) XXX_Marshal(b []byte, deterministic bool) ([]by
 		return b[:n], nil
 	}
 }
-func (m *SetIntermediateRequest) XXX_Merge(src proto.Message) {
+func (dst *SetIntermediateRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SetIntermediateRequest.Merge(m, src)
+	xxx_messageInfo_SetIntermediateRequest.Merge(dst, src)
 }
 func (m *SetIntermediateRequest) XXX_Size() int {
 	return m.Size()
@ -168,7 +154,7 @@ func (m *SignRequest) Reset()         { *m = SignRequest{} }
 func (m *SignRequest) String() string { return proto.CompactTextString(m) }
 func (*SignRequest) ProtoMessage()    {}
 func (*SignRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_94daeb7181770839, []int{2}
+	return fileDescriptor_provider_8ff2d2670790989c, []int{2}
 }
 func (m *SignRequest) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@ -185,8 +171,8 @@ func (m *SignRequest) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
 		return b[:n], nil
 	}
 }
-func (m *SignRequest) XXX_Merge(src proto.Message) {
+func (dst *SignRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SignRequest.Merge(m, src)
+	xxx_messageInfo_SignRequest.Merge(dst, src)
 }
 func (m *SignRequest) XXX_Size() int {
 	return m.Size()
@ -215,7 +201,7 @@ func (m *SignIntermediateRequest) Reset()         { *m = SignIntermediateRequest
 func (m *SignIntermediateRequest) String() string { return proto.CompactTextString(m) }
 func (*SignIntermediateRequest) ProtoMessage()    {}
 func (*SignIntermediateRequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_94daeb7181770839, []int{3}
+	return fileDescriptor_provider_8ff2d2670790989c, []int{3}
 }
 func (m *SignIntermediateRequest) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@ -232,8 +218,8 @@ func (m *SignIntermediateRequest) XXX_Marshal(b []byte, deterministic bool) ([]b
 		return b[:n], nil
 	}
 }
-func (m *SignIntermediateRequest) XXX_Merge(src proto.Message) {
+func (dst *SignIntermediateRequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SignIntermediateRequest.Merge(m, src)
+	xxx_messageInfo_SignIntermediateRequest.Merge(dst, src)
 }
 func (m *SignIntermediateRequest) XXX_Size() int {
 	return m.Size()
@ -262,7 +248,7 @@ func (m *CrossSignCARequest) Reset()         { *m = CrossSignCARequest{} }
 func (m *CrossSignCARequest) String() string { return proto.CompactTextString(m) }
 func (*CrossSignCARequest) ProtoMessage()    {}
 func (*CrossSignCARequest) Descriptor() ([]byte, []int) {
-	return fileDescriptor_94daeb7181770839, []int{4}
+	return fileDescriptor_provider_8ff2d2670790989c, []int{4}
 }
 func (m *CrossSignCARequest) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@ -279,8 +265,8 @@ func (m *CrossSignCARequest) XXX_Marshal(b []byte, deterministic bool) ([]byte,
 		return b[:n], nil
 	}
 }
-func (m *CrossSignCARequest) XXX_Merge(src proto.Message) {
+func (dst *CrossSignCARequest) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CrossSignCARequest.Merge(m, src)
+	xxx_messageInfo_CrossSignCARequest.Merge(dst, src)
 }
 func (m *CrossSignCARequest) XXX_Size() int {
 	return m.Size()
@ -309,7 +295,7 @@ func (m *ActiveRootResponse) Reset()         { *m = ActiveRootResponse{} }
 func (m *ActiveRootResponse) String() string { return proto.CompactTextString(m) }
 func (*ActiveRootResponse) ProtoMessage()    {}
 func (*ActiveRootResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_94daeb7181770839, []int{5}
+	return fileDescriptor_provider_8ff2d2670790989c, []int{5}
 }
 func (m *ActiveRootResponse) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@ -326,8 +312,8 @@ func (m *ActiveRootResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte,
 		return b[:n], nil
 	}
 }
-func (m *ActiveRootResponse) XXX_Merge(src proto.Message) {
+func (dst *ActiveRootResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ActiveRootResponse.Merge(m, src)
+	xxx_messageInfo_ActiveRootResponse.Merge(dst, src)
 }
 func (m *ActiveRootResponse) XXX_Size() int {
 	return m.Size()
@ -356,7 +342,7 @@ func (m *GenerateIntermediateCSRResponse) Reset()         { *m = GenerateInterme
 func (m *GenerateIntermediateCSRResponse) String() string { return proto.CompactTextString(m) }
 func (*GenerateIntermediateCSRResponse) ProtoMessage()    {}
 func (*GenerateIntermediateCSRResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_94daeb7181770839, []int{6}
+	return fileDescriptor_provider_8ff2d2670790989c, []int{6}
 }
 func (m *GenerateIntermediateCSRResponse) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@ -373,8 +359,8 @@ func (m *GenerateIntermediateCSRResponse) XXX_Marshal(b []byte, deterministic bo
 		return b[:n], nil
 	}
 }
-func (m *GenerateIntermediateCSRResponse) XXX_Merge(src proto.Message) {
+func (dst *GenerateIntermediateCSRResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GenerateIntermediateCSRResponse.Merge(m, src)
+	xxx_messageInfo_GenerateIntermediateCSRResponse.Merge(dst, src)
 }
 func (m *GenerateIntermediateCSRResponse) XXX_Size() int {
 	return m.Size()
@ -403,7 +389,7 @@ func (m *ActiveIntermediateResponse) Reset()         { *m = ActiveIntermediateRe
 func (m *ActiveIntermediateResponse) String() string { return proto.CompactTextString(m) }
 func (*ActiveIntermediateResponse) ProtoMessage()    {}
 func (*ActiveIntermediateResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_94daeb7181770839, []int{7}
+	return fileDescriptor_provider_8ff2d2670790989c, []int{7}
 }
 func (m *ActiveIntermediateResponse) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@ -420,8 +406,8 @@ func (m *ActiveIntermediateResponse) XXX_Marshal(b []byte, deterministic bool) (
 		return b[:n], nil
 	}
 }
-func (m *ActiveIntermediateResponse) XXX_Merge(src proto.Message) {
+func (dst *ActiveIntermediateResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_ActiveIntermediateResponse.Merge(m, src)
+	xxx_messageInfo_ActiveIntermediateResponse.Merge(dst, src)
 }
 func (m *ActiveIntermediateResponse) XXX_Size() int {
 	return m.Size()
@ -450,7 +436,7 @@ func (m *GenerateIntermediateResponse) Reset()         { *m = GenerateIntermedia
 func (m *GenerateIntermediateResponse) String() string { return proto.CompactTextString(m) }
 func (*GenerateIntermediateResponse) ProtoMessage()    {}
 func (*GenerateIntermediateResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_94daeb7181770839, []int{8}
+	return fileDescriptor_provider_8ff2d2670790989c, []int{8}
 }
 func (m *GenerateIntermediateResponse) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@ -467,8 +453,8 @@ func (m *GenerateIntermediateResponse) XXX_Marshal(b []byte, deterministic bool)
 		return b[:n], nil
 	}
 }
-func (m *GenerateIntermediateResponse) XXX_Merge(src proto.Message) {
+func (dst *GenerateIntermediateResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_GenerateIntermediateResponse.Merge(m, src)
+	xxx_messageInfo_GenerateIntermediateResponse.Merge(dst, src)
 }
 func (m *GenerateIntermediateResponse) XXX_Size() int {
 	return m.Size()
@ -497,7 +483,7 @@ func (m *SignResponse) Reset()         { *m = SignResponse{} }
 func (m *SignResponse) String() string { return proto.CompactTextString(m) }
 func (*SignResponse) ProtoMessage()    {}
 func (*SignResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_94daeb7181770839, []int{9}
+	return fileDescriptor_provider_8ff2d2670790989c, []int{9}
 }
 func (m *SignResponse) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@ -514,8 +500,8 @@ func (m *SignResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
 		return b[:n], nil
 	}
 }
-func (m *SignResponse) XXX_Merge(src proto.Message) {
+func (dst *SignResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SignResponse.Merge(m, src)
+	xxx_messageInfo_SignResponse.Merge(dst, src)
 }
 func (m *SignResponse) XXX_Size() int {
 	return m.Size()
@ -544,7 +530,7 @@ func (m *SignIntermediateResponse) Reset()         { *m = SignIntermediateRespon
 func (m *SignIntermediateResponse) String() string { return proto.CompactTextString(m) }
 func (*SignIntermediateResponse) ProtoMessage()    {}
 func (*SignIntermediateResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_94daeb7181770839, []int{10}
+	return fileDescriptor_provider_8ff2d2670790989c, []int{10}
 }
 func (m *SignIntermediateResponse) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@ -561,8 +547,8 @@ func (m *SignIntermediateResponse) XXX_Marshal(b []byte, deterministic bool) ([]
 		return b[:n], nil
 	}
 }
-func (m *SignIntermediateResponse) XXX_Merge(src proto.Message) {
+func (dst *SignIntermediateResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_SignIntermediateResponse.Merge(m, src)
+	xxx_messageInfo_SignIntermediateResponse.Merge(dst, src)
 }
 func (m *SignIntermediateResponse) XXX_Size() int {
 	return m.Size()
@ -591,7 +577,7 @@ func (m *CrossSignCAResponse) Reset()         { *m = CrossSignCAResponse{} }
 func (m *CrossSignCAResponse) String() string { return proto.CompactTextString(m) }
 func (*CrossSignCAResponse) ProtoMessage()    {}
 func (*CrossSignCAResponse) Descriptor() ([]byte, []int) {
-	return fileDescriptor_94daeb7181770839, []int{11}
+	return fileDescriptor_provider_8ff2d2670790989c, []int{11}
 }
 func (m *CrossSignCAResponse) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@ -608,8 +594,8 @@ func (m *CrossSignCAResponse) XXX_Marshal(b []byte, deterministic bool) ([]byte,
 		return b[:n], nil
 	}
 }
-func (m *CrossSignCAResponse) XXX_Merge(src proto.Message) {
+func (dst *CrossSignCAResponse) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_CrossSignCAResponse.Merge(m, src)
+	xxx_messageInfo_CrossSignCAResponse.Merge(dst, src)
 }
 func (m *CrossSignCAResponse) XXX_Size() int {
 	return m.Size()
@ -639,7 +625,7 @@ func (m *Empty) Reset()         { *m = Empty{} }
 func (m *Empty) String() string { return proto.CompactTextString(m) }
 func (*Empty) ProtoMessage()    {}
 func (*Empty) Descriptor() ([]byte, []int) {
-	return fileDescriptor_94daeb7181770839, []int{12}
+	return fileDescriptor_provider_8ff2d2670790989c, []int{12}
 }
 func (m *Empty) XXX_Unmarshal(b []byte) error {
 	return m.Unmarshal(b)
@ -656,8 +642,8 @@ func (m *Empty) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) {
 		return b[:n], nil
 	}
 }
-func (m *Empty) XXX_Merge(src proto.Message) {
+func (dst *Empty) XXX_Merge(src proto.Message) {
-	xxx_messageInfo_Empty.Merge(m, src)
+	xxx_messageInfo_Empty.Merge(dst, src)
 }
 func (m *Empty) XXX_Size() int {
 	return m.Size()
@ -684,52 +670,6 @@ func init() {
 	proto.RegisterType((*Empty)(nil), "plugin.Empty")
 }
 func init() {
 	proto.RegisterFile("agent/connect/ca/plugin/provider.proto", fileDescriptor_94daeb7181770839)
 }
 var fileDescriptor_94daeb7181770839 = []byte{
 	// 607 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x55, 0xdd, 0x6e, 0xd3, 0x30,
 	0x18, 0x25, 0xfb, 0x69, 0xb7, 0x6f, 0x85, 0x55, 0xde, 0xb4, 0x85, 0x02, 0x5d, 0x15, 0xa1, 0x75,
 	0x08, 0x68, 0x04, 0x03, 0x4d, 0xe2, 0x8a, 0x11, 0xc6, 0x34, 0x21, 0xa1, 0x91, 0x89, 0x1b, 0x2e,
 	0xa8, 0x32, 0xc7, 0x74, 0x96, 0x1a, 0x3b, 0xd8, 0xce, 0x24, 0xde, 0x84, 0x67, 0xe0, 0x45, 0xe0,
 	0x92, 0x47, 0x40, 0xe3, 0x45, 0x90, 0xf3, 0xb7, 0x24, 0x4d, 0x97, 0xbb, 0xfa, 0xcb, 0x39, 0xc7,
 	0xe7, 0xfb, 0xab, 0x61, 0xd7, 0x9b, 0x10, 0xa6, 0x6c, 0xcc, 0x19, 0x23, 0x58, 0xd9, 0xd8, 0xb3,
 	0xc3, 0x69, 0x34, 0xa1, 0xcc, 0x0e, 0x05, 0xbf, 0xa4, 0x3e, 0x11, 0xa3, 0x50, 0x70, 0xc5, 0x51,
 	0x2b, 0x09, 0x5b, 0x3f, 0x0d, 0xe8, 0x3a, 0x9c, 0x7d, 0xa5, 0x93, 0x48, 0x10, 0x97, 0x7c, 0x8b,
 	0x88, 0x54, 0xe8, 0x01, 0x00, 0x9e, 0x46, 0x52, 0x11, 0x31, 0xa6, 0xbe, 0x69, 0x0c, 0x8c, 0xbd,
 	0x55, 0x77, 0x35, 0x8d, 0x9c, 0xf8, 0x68, 0x08, 0xeb, 0xbe, 0xa7, 0x3c, 0x4c, 0x98, 0x46, 0x30,
 	0x2f, 0x20, 0xe6, 0x42, 0x8c, 0xb9, 0x73, 0x1d, 0xfe, 0xe0, 0x05, 0x44, 0xeb, 0xf8, 0x4c, 0x8e,
 	0x7d, 0x1e, 0x78, 0x94, 0x99, 0x8b, 0x89, 0x8e, 0xcf, 0xe4, 0xdb, 0x38, 0x80, 0xb6, 0xa1, 0x4d,
 	0xe5, 0x58, 0x70, 0xae, 0xcc, 0xa5, 0x81, 0xb1, 0xb7, 0xe2, 0xb6, 0xa8, 0x74, 0x39, 0x57, 0x68,
 	0x0b, 0x5a, 0x38, 0xf6, 0x64, 0x2e, 0x0f, 0x8c, 0xbd, 0x8e, 0x9b, 0x9e, 0xac, 0x2f, 0xb0, 0x75,
 	0x46, 0xd4, 0x89, 0xd6, 0x0f, 0x88, 0x4f, 0x3d, 0x95, 0x3b, 0x7e, 0x04, 0x5d, 0x5a, 0x08, 0x8f,
 	0x43, 0x12, 0xa4, 0xbe, 0xd7, 0x8b, 0xf1, 0x53, 0x12, 0xa0, 0xbb, 0xb0, 0xa2, 0xaf, 0x8c, 0x21,
 	0x89, 0xed, 0xb6, 0x3e, 0x9f, 0x92, 0xc0, 0xda, 0x81, 0xb5, 0x33, 0x3a, 0x61, 0x99, 0x68, 0x17,
 	0x16, 0xb1, 0x14, 0xb1, 0x4e, 0xc7, 0xd5, 0x3f, 0xad, 0xc7, 0xb0, 0xad, 0x01, 0x75, 0x0e, 0x66,
 	0xc1, 0xbb, 0x80, 0x1c, 0xc1, 0xa5, 0xd4, 0x0c, 0xe7, 0xb0, 0x88, 0x13, 0x2a, 0xc7, 0x09, 0x65,
 	0x3d, 0x05, 0x74, 0x88, 0x15, 0xbd, 0x24, 0x3a, 0x77, 0x97, 0xc8, 0x90, 0x33, 0x49, 0x74, 0x71,
 	0xb0, 0x50, 0x85, 0x44, 0x5a, 0x58, 0xc4, 0x26, 0x5f, 0xc1, 0xce, 0x31, 0x61, 0x44, 0x78, 0x8a,
 	0x14, 0x7d, 0x38, 0x67, 0x6e, 0x89, 0x2b, 0x45, 0x89, 0x2b, 0x85, 0xe6, 0xbe, 0x84, 0x5e, 0x72,
 	0x55, 0x39, 0x83, 0xa6, 0x2b, 0x0f, 0xe0, 0x7e, 0xdd, 0x95, 0xcd, 0xc4, 0x21, 0x74, 0x92, 0x82,
 	0x36, 0x01, 0xf7, 0xc1, 0x9c, 0x2d, 0x6c, 0x13, 0x69, 0x04, 0x1b, 0xa5, 0x02, 0x37, 0xe1, 0xdb,
 	0xb0, 0x7c, 0x14, 0x84, 0xea, 0xfb, 0xf3, 0x5f, 0xcb, 0xb0, 0xe0, 0x1c, 0xa2, 0x17, 0xb0, 0x9a,
 	0x8f, 0x3e, 0x32, 0x47, 0xc9, 0x46, 0x8c, 0xaa, 0xdb, 0xd0, 0xbb, 0x9d, 0x7d, 0x89, 0xc9, 0xe8,
 	0x09, 0x74, 0xb2, 0x62, 0xc4, 0xc3, 0x5a, 0xfe, 0x5c, 0x45, 0x1f, 0x00, 0x5c, 0x37, 0xb7, 0x8a,
 	0xed, 0x65, 0xc7, 0x9a, 0xfe, 0x7f, 0x84, 0xed, 0x39, 0x6d, 0xae, 0xaa, 0x0c, 0xb3, 0x63, 0xd3,
 	0x58, 0xbc, 0x86, 0xf5, 0xca, 0xfa, 0xa0, 0x7e, 0xc6, 0xad, 0xdf, 0xab, 0x6a, 0x36, 0xc7, 0xd9,
 	0xa8, 0x96, 0x44, 0x2a, 0x7e, 0xac, 0x72, 0x56, 0xb5, 0x3d, 0x7d, 0x0f, 0x9b, 0x75, 0x6e, 0xab,
 	0x52, 0x0f, 0x6f, 0x4a, 0x2d, 0x17, 0x7b, 0x06, 0x4b, 0x7a, 0x04, 0xd0, 0x46, 0x9e, 0xcc, 0xf5,
 	0x12, 0xf7, 0x36, 0xcb, 0xc1, 0x94, 0xf2, 0x09, 0xba, 0xd5, 0x79, 0x43, 0x3b, 0x45, 0x64, 0x5d,
 	0x31, 0x06, 0xf3, 0x01, 0xa9, 0xec, 0x3b, 0x58, 0x2b, 0x4c, 0x24, 0xca, 0xfb, 0x3b, 0xfb, 0x3f,
 	0xd0, 0xbb, 0x57, 0xfb, 0x2d, 0xd5, 0x19, 0x42, 0xdb, 0x99, 0x12, 0x8f, 0x45, 0xe1, 0xcd, 0xe3,
 	0xf5, 0xe6, 0xe8, 0xf7, 0x55, 0xdf, 0xf8, 0x73, 0xd5, 0x37, 0xfe, 0x5e, 0xf5, 0x8d, 0x1f, 0xff,
 	0xfa, 0xb7, 0x3e, 0xef, 0x4f, 0xa8, 0xba, 0x88, 0xce, 0x47, 0x98, 0x07, 0xf6, 0x85, 0x27, 0x2f,
 	0x28, 0xe6, 0x22, 0xd4, 0xef, 0x81, 0x8c, 0xa6, 0xf6, 0x9c, 0xc7, 0xe1, 0xbc, 0x15, 0x3f, 0x0a,
 	0xfb, 0xff, 0x03, 0x00, 0x00, 0xff, 0xff, 0x5a, 0xb9, 0x1f, 0x6c, 0x3e, 0x06, 0x00, 0x00,
 }
 // Reference imports to suppress errors if they are not otherwise used.
 var _ context.Context
 var _ grpc.ClientConn
@ -1153,20 +1093,8 @@ func (m *ConfigureRequest) MarshalTo(dAtA []byte) (int, error) {
 		i = encodeVarintProvider(dAtA, i, uint64(len(m.ClusterId)))
 		i += copy(dAtA[i:], m.ClusterId)
 	}
 	if len(m.DatacenterName) > 0 {
 		dAtA[i] = 0x12
 		i++
 		i = encodeVarintProvider(dAtA, i, uint64(len(m.DatacenterName)))
 		i += copy(dAtA[i:], m.DatacenterName)
 	}
 	if len(m.DnsDomain) > 0 {
 		dAtA[i] = 0x1a
 		i++
 		i = encodeVarintProvider(dAtA, i, uint64(len(m.DnsDomain)))
 		i += copy(dAtA[i:], m.DnsDomain)
 	}
 	if m.IsRoot {
-		dAtA[i] = 0x20
+		dAtA[i] = 0x10
 		i++
 		if m.IsRoot {
 			dAtA[i] = 1
@ -1176,7 +1104,7 @@ func (m *ConfigureRequest) MarshalTo(dAtA []byte) (int, error) {
 		i++
 	}
 	if len(m.Config) > 0 {
-		dAtA[i] = 0x2a
+		dAtA[i] = 0x1a
 		i++
 		i = encodeVarintProvider(dAtA, i, uint64(len(m.Config)))
 		i += copy(dAtA[i:], m.Config)
@ -1530,14 +1458,6 @@ func (m *ConfigureRequest) Size() (n int) {
 	if l > 0 {
 		n += 1 + l + sovProvider(uint64(l))
 	}
 	l = len(m.DatacenterName)
 	if l > 0 {
 		n += 1 + l + sovProvider(uint64(l))
 	}
 	l = len(m.DnsDomain)
 	if l > 0 {
 		n += 1 + l + sovProvider(uint64(l))
 	}
 	if m.IsRoot {
 		n += 2
 	}
@ -1771,7 +1691,7 @@ func (m *ConfigureRequest) Unmarshal(dAtA []byte) error {
 			}
 			b := dAtA[iNdEx]
 			iNdEx++
-			wire |= uint64(b&0x7F) << shift
+			wire |= (uint64(b) & 0x7F) << shift
 			if b < 0x80 {
 				break
 			}
@ -1799,7 +1719,7 @@ func (m *ConfigureRequest) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				stringLen |= (uint64(b) & 0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@ -1809,79 +1729,12 @@ func (m *ConfigureRequest) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthProvider
 			}
 			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
 			m.ClusterId = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
 		case 2:
 			if wireType != 2 {
 				return fmt.Errorf("proto: wrong wireType = %d for field DatacenterName", wireType)
 			}
 			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowProvider
 				}
 				if iNdEx >= l {
 					return io.ErrUnexpectedEOF
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
 				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
 			intStringLen := int(stringLen)
 			if intStringLen < 0 {
 				return ErrInvalidLengthProvider
 			}
 			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
 			m.DatacenterName = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
 		case 3:
 			if wireType != 2 {
 				return fmt.Errorf("proto: wrong wireType = %d for field DnsDomain", wireType)
 			}
 			var stringLen uint64
 			for shift := uint(0); ; shift += 7 {
 				if shift >= 64 {
 					return ErrIntOverflowProvider
 				}
 				if iNdEx >= l {
 					return io.ErrUnexpectedEOF
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
 				stringLen |= uint64(b&0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
 			intStringLen := int(stringLen)
 			if intStringLen < 0 {
 				return ErrInvalidLengthProvider
 			}
 			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
 			m.DnsDomain = string(dAtA[iNdEx:postIndex])
 			iNdEx = postIndex
 		case 4:
 			if wireType != 0 {
 				return fmt.Errorf("proto: wrong wireType = %d for field IsRoot", wireType)
 			}
@ -1895,13 +1748,13 @@ func (m *ConfigureRequest) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				v |= int(b&0x7F) << shift
+				v |= (int(b) & 0x7F) << shift
 				if b < 0x80 {
 					break
 				}
 			}
 			m.IsRoot = bool(v != 0)
-		case 5:
+		case 3:
 			if wireType != 2 {
 				return fmt.Errorf("proto: wrong wireType = %d for field Config", wireType)
 			}
@ -1915,7 +1768,7 @@ func (m *ConfigureRequest) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				byteLen |= int(b&0x7F) << shift
+				byteLen |= (int(b) & 0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@ -1924,9 +1777,6 @@ func (m *ConfigureRequest) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthProvider
 			}
 			postIndex := iNdEx + byteLen
 			if postIndex < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
@ -1944,9 +1794,6 @@ func (m *ConfigureRequest) Unmarshal(dAtA []byte) error {
 			if skippy < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) > l {
 				return io.ErrUnexpectedEOF
 			}
@ -1975,7 +1822,7 @@ func (m *SetIntermediateRequest) Unmarshal(dAtA []byte) error {
 			}
 			b := dAtA[iNdEx]
 			iNdEx++
-			wire |= uint64(b&0x7F) << shift
+			wire |= (uint64(b) & 0x7F) << shift
 			if b < 0x80 {
 				break
 			}
@ -2003,7 +1850,7 @@ func (m *SetIntermediateRequest) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				stringLen |= (uint64(b) & 0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@ -2013,9 +1860,6 @@ func (m *SetIntermediateRequest) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthProvider
 			}
 			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2035,7 +1879,7 @@ func (m *SetIntermediateRequest) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				stringLen |= (uint64(b) & 0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@ -2045,9 +1889,6 @@ func (m *SetIntermediateRequest) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthProvider
 			}
 			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2062,9 +1903,6 @@ func (m *SetIntermediateRequest) Unmarshal(dAtA []byte) error {
 			if skippy < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2093,7 +1931,7 @@ func (m *SignRequest) Unmarshal(dAtA []byte) error {
 			}
 			b := dAtA[iNdEx]
 			iNdEx++
-			wire |= uint64(b&0x7F) << shift
+			wire |= (uint64(b) & 0x7F) << shift
 			if b < 0x80 {
 				break
 			}
@ -2121,7 +1959,7 @@ func (m *SignRequest) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				byteLen |= int(b&0x7F) << shift
+				byteLen |= (int(b) & 0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@ -2130,9 +1968,6 @@ func (m *SignRequest) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthProvider
 			}
 			postIndex := iNdEx + byteLen
 			if postIndex < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2150,9 +1985,6 @@ func (m *SignRequest) Unmarshal(dAtA []byte) error {
 			if skippy < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2181,7 +2013,7 @@ func (m *SignIntermediateRequest) Unmarshal(dAtA []byte) error {
 			}
 			b := dAtA[iNdEx]
 			iNdEx++
-			wire |= uint64(b&0x7F) << shift
+			wire |= (uint64(b) & 0x7F) << shift
 			if b < 0x80 {
 				break
 			}
@ -2209,7 +2041,7 @@ func (m *SignIntermediateRequest) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				byteLen |= int(b&0x7F) << shift
+				byteLen |= (int(b) & 0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@ -2218,9 +2050,6 @@ func (m *SignIntermediateRequest) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthProvider
 			}
 			postIndex := iNdEx + byteLen
 			if postIndex < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2238,9 +2067,6 @@ func (m *SignIntermediateRequest) Unmarshal(dAtA []byte) error {
 			if skippy < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2269,7 +2095,7 @@ func (m *CrossSignCARequest) Unmarshal(dAtA []byte) error {
 			}
 			b := dAtA[iNdEx]
 			iNdEx++
-			wire |= uint64(b&0x7F) << shift
+			wire |= (uint64(b) & 0x7F) << shift
 			if b < 0x80 {
 				break
 			}
@ -2297,7 +2123,7 @@ func (m *CrossSignCARequest) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				byteLen |= int(b&0x7F) << shift
+				byteLen |= (int(b) & 0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@ -2306,9 +2132,6 @@ func (m *CrossSignCARequest) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthProvider
 			}
 			postIndex := iNdEx + byteLen
 			if postIndex < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2326,9 +2149,6 @@ func (m *CrossSignCARequest) Unmarshal(dAtA []byte) error {
 			if skippy < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2357,7 +2177,7 @@ func (m *ActiveRootResponse) Unmarshal(dAtA []byte) error {
 			}
 			b := dAtA[iNdEx]
 			iNdEx++
-			wire |= uint64(b&0x7F) << shift
+			wire |= (uint64(b) & 0x7F) << shift
 			if b < 0x80 {
 				break
 			}
@ -2385,7 +2205,7 @@ func (m *ActiveRootResponse) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				stringLen |= (uint64(b) & 0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@ -2395,9 +2215,6 @@ func (m *ActiveRootResponse) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthProvider
 			}
 			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2412,9 +2229,6 @@ func (m *ActiveRootResponse) Unmarshal(dAtA []byte) error {
 			if skippy < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2443,7 +2257,7 @@ func (m *GenerateIntermediateCSRResponse) Unmarshal(dAtA []byte) error {
 			}
 			b := dAtA[iNdEx]
 			iNdEx++
-			wire |= uint64(b&0x7F) << shift
+			wire |= (uint64(b) & 0x7F) << shift
 			if b < 0x80 {
 				break
 			}
@ -2471,7 +2285,7 @@ func (m *GenerateIntermediateCSRResponse) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				stringLen |= (uint64(b) & 0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@ -2481,9 +2295,6 @@ func (m *GenerateIntermediateCSRResponse) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthProvider
 			}
 			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2498,9 +2309,6 @@ func (m *GenerateIntermediateCSRResponse) Unmarshal(dAtA []byte) error {
 			if skippy < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2529,7 +2337,7 @@ func (m *ActiveIntermediateResponse) Unmarshal(dAtA []byte) error {
 			}
 			b := dAtA[iNdEx]
 			iNdEx++
-			wire |= uint64(b&0x7F) << shift
+			wire |= (uint64(b) & 0x7F) << shift
 			if b < 0x80 {
 				break
 			}
@ -2557,7 +2365,7 @@ func (m *ActiveIntermediateResponse) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				stringLen |= (uint64(b) & 0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@ -2567,9 +2375,6 @@ func (m *ActiveIntermediateResponse) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthProvider
 			}
 			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2584,9 +2389,6 @@ func (m *ActiveIntermediateResponse) Unmarshal(dAtA []byte) error {
 			if skippy < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2615,7 +2417,7 @@ func (m *GenerateIntermediateResponse) Unmarshal(dAtA []byte) error {
 			}
 			b := dAtA[iNdEx]
 			iNdEx++
-			wire |= uint64(b&0x7F) << shift
+			wire |= (uint64(b) & 0x7F) << shift
 			if b < 0x80 {
 				break
 			}
@ -2643,7 +2445,7 @@ func (m *GenerateIntermediateResponse) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				stringLen |= (uint64(b) & 0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@ -2653,9 +2455,6 @@ func (m *GenerateIntermediateResponse) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthProvider
 			}
 			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2670,9 +2469,6 @@ func (m *GenerateIntermediateResponse) Unmarshal(dAtA []byte) error {
 			if skippy < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2701,7 +2497,7 @@ func (m *SignResponse) Unmarshal(dAtA []byte) error {
 			}
 			b := dAtA[iNdEx]
 			iNdEx++
-			wire |= uint64(b&0x7F) << shift
+			wire |= (uint64(b) & 0x7F) << shift
 			if b < 0x80 {
 				break
 			}
@ -2729,7 +2525,7 @@ func (m *SignResponse) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				stringLen |= (uint64(b) & 0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@ -2739,9 +2535,6 @@ func (m *SignResponse) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthProvider
 			}
 			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2756,9 +2549,6 @@ func (m *SignResponse) Unmarshal(dAtA []byte) error {
 			if skippy < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2787,7 +2577,7 @@ func (m *SignIntermediateResponse) Unmarshal(dAtA []byte) error {
 			}
 			b := dAtA[iNdEx]
 			iNdEx++
-			wire |= uint64(b&0x7F) << shift
+			wire |= (uint64(b) & 0x7F) << shift
 			if b < 0x80 {
 				break
 			}
@ -2815,7 +2605,7 @@ func (m *SignIntermediateResponse) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				stringLen |= (uint64(b) & 0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@ -2825,9 +2615,6 @@ func (m *SignIntermediateResponse) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthProvider
 			}
 			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2842,9 +2629,6 @@ func (m *SignIntermediateResponse) Unmarshal(dAtA []byte) error {
 			if skippy < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2873,7 +2657,7 @@ func (m *CrossSignCAResponse) Unmarshal(dAtA []byte) error {
 			}
 			b := dAtA[iNdEx]
 			iNdEx++
-			wire |= uint64(b&0x7F) << shift
+			wire |= (uint64(b) & 0x7F) << shift
 			if b < 0x80 {
 				break
 			}
@ -2901,7 +2685,7 @@ func (m *CrossSignCAResponse) Unmarshal(dAtA []byte) error {
 				}
 				b := dAtA[iNdEx]
 				iNdEx++
-				stringLen |= uint64(b&0x7F) << shift
+				stringLen |= (uint64(b) & 0x7F) << shift
 				if b < 0x80 {
 					break
 				}
@ -2911,9 +2695,6 @@ func (m *CrossSignCAResponse) Unmarshal(dAtA []byte) error {
 				return ErrInvalidLengthProvider
 			}
 			postIndex := iNdEx + intStringLen
 			if postIndex < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if postIndex > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2928,9 +2709,6 @@ func (m *CrossSignCAResponse) Unmarshal(dAtA []byte) error {
 			if skippy < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) > l {
 				return io.ErrUnexpectedEOF
 			}
@ -2959,7 +2737,7 @@ func (m *Empty) Unmarshal(dAtA []byte) error {
 			}
 			b := dAtA[iNdEx]
 			iNdEx++
-			wire |= uint64(b&0x7F) << shift
+			wire |= (uint64(b) & 0x7F) << shift
 			if b < 0x80 {
 				break
 			}
@ -2982,9 +2760,6 @@ func (m *Empty) Unmarshal(dAtA []byte) error {
 			if skippy < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) < 0 {
 				return ErrInvalidLengthProvider
 			}
 			if (iNdEx + skippy) > l {
 				return io.ErrUnexpectedEOF
 			}
@ -3052,11 +2827,8 @@ func skipProvider(dAtA []byte) (n int, err error) {
 					break
 				}
 			}
 			if length < 0 {
 				return 0, ErrInvalidLengthProvider
 			}
 			iNdEx += length
-			if iNdEx < 0 {
+			if length < 0 {
 				return 0, ErrInvalidLengthProvider
 			}
 			return iNdEx, nil
@ -3087,9 +2859,6 @@ func skipProvider(dAtA []byte) (n int, err error) {
 					return 0, err
 				}
 				iNdEx = start + next
 				if iNdEx < 0 {
 					return 0, ErrInvalidLengthProvider
 				}
 			}
 			return iNdEx, nil
 		case 4:
@ -3108,3 +2877,47 @@ var (
 	ErrInvalidLengthProvider = fmt.Errorf("proto: negative length found during unmarshaling")
 	ErrIntOverflowProvider   = fmt.Errorf("proto: integer overflow")
 )
 func init() {
 	proto.RegisterFile("agent/connect/ca/plugin/provider.proto", fileDescriptor_provider_8ff2d2670790989c)
 }
 var fileDescriptor_provider_8ff2d2670790989c = []byte{
 	// 566 bytes of a gzipped FileDescriptorProto
 	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x84, 0x54, 0xdf, 0x6e, 0xd3, 0x3e,
 	0x18, 0xfd, 0xa5, 0xfb, 0xad, 0x5d, 0xbf, 0x15, 0xad, 0xf2, 0xa6, 0xb5, 0x14, 0x68, 0xab, 0x08,
 	0xad, 0x45, 0x40, 0x23, 0x28, 0x68, 0x12, 0x57, 0x94, 0x68, 0x4c, 0x13, 0x37, 0x23, 0x15, 0x37,
 	0x5c, 0x50, 0xa5, 0xae, 0x49, 0x2d, 0x35, 0x71, 0xb0, 0x9d, 0x49, 0xbc, 0x09, 0x6f, 0x04, 0x97,
 	0x3c, 0x02, 0x2a, 0x2f, 0x82, 0x9c, 0x26, 0x59, 0x92, 0xa6, 0xcb, 0x5d, 0xfc, 0xe5, 0x9c, 0xf3,
 	0xfd, 0x3b, 0x36, 0x9c, 0xd9, 0x0e, 0xf1, 0xa4, 0x81, 0x99, 0xe7, 0x11, 0x2c, 0x0d, 0x6c, 0x1b,
 	0xfe, 0x2a, 0x70, 0xa8, 0x67, 0xf8, 0x9c, 0xdd, 0xd0, 0x05, 0xe1, 0x23, 0x9f, 0x33, 0xc9, 0x50,
 	0x75, 0x13, 0xd6, 0xe7, 0xd0, 0x34, 0x99, 0xf7, 0x95, 0x3a, 0x01, 0x27, 0x16, 0xf9, 0x16, 0x10,
 	0x21, 0xd1, 0x23, 0x00, 0xbc, 0x0a, 0x84, 0x24, 0x7c, 0x46, 0x17, 0x6d, 0xad, 0xaf, 0x0d, 0xeb,
 	0x56, 0x3d, 0x8a, 0x5c, 0x2d, 0x50, 0x0b, 0x6a, 0x54, 0xcc, 0x38, 0x63, 0xb2, 0x5d, 0xe9, 0x6b,
 	0xc3, 0x03, 0xab, 0x4a, 0x85, 0xc5, 0x98, 0x44, 0xa7, 0x50, 0xc5, 0xa1, 0x56, 0x7b, 0xaf, 0xaf,
 	0x0d, 0x1b, 0x56, 0x74, 0xd2, 0xbf, 0xc0, 0xe9, 0x94, 0xc8, 0x2b, 0x4f, 0x12, 0xee, 0x92, 0x05,
 	0xb5, 0x65, 0x92, 0xe9, 0x09, 0x34, 0x69, 0x2a, 0x3c, 0xf3, 0x89, 0x1b, 0xe5, 0x3b, 0x4a, 0xc7,
 	0xaf, 0x89, 0x8b, 0xee, 0xc3, 0x81, 0x4a, 0x19, 0x42, 0x2a, 0x21, 0xa4, 0xa6, 0xce, 0xd7, 0xc4,
 	0xd5, 0x7b, 0x70, 0x38, 0xa5, 0x8e, 0x17, 0x8b, 0x36, 0x61, 0x0f, 0x0b, 0x1e, 0xea, 0x34, 0x2c,
 	0xf5, 0xa9, 0x3f, 0x85, 0x96, 0x02, 0x14, 0x55, 0xb0, 0x0d, 0x3e, 0x03, 0x64, 0x72, 0x26, 0x84,
 	0x62, 0x98, 0x93, 0x34, 0x8e, 0xcb, 0x04, 0xc7, 0xa5, 0xfe, 0x1c, 0xd0, 0x04, 0x4b, 0x7a, 0x43,
 	0x54, 0xef, 0x16, 0x11, 0x3e, 0xf3, 0x04, 0x51, 0xc3, 0xc1, 0x5c, 0xa6, 0x1a, 0xa9, 0x62, 0x1e,
 	0x16, 0xf9, 0x06, 0x7a, 0x97, 0xc4, 0x23, 0xdc, 0x96, 0x24, 0x5d, 0x87, 0x39, 0xb5, 0x32, 0x5c,
 	0xc1, 0x33, 0x5c, 0xc1, 0x15, 0xf7, 0x35, 0x74, 0x36, 0xa9, 0xb2, 0x1d, 0x94, 0xa5, 0x3c, 0x87,
 	0x87, 0x45, 0x29, 0xcb, 0x89, 0x03, 0x68, 0x6c, 0x06, 0x5a, 0x06, 0x1c, 0x43, 0x7b, 0x7b, 0xb0,
 	0x65, 0xa4, 0x11, 0x1c, 0x67, 0x06, 0x5c, 0x86, 0xaf, 0xc1, 0xfe, 0x85, 0xeb, 0xcb, 0xef, 0x2f,
 	0x7f, 0xee, 0x43, 0xc5, 0x9c, 0xa0, 0x57, 0x50, 0x4f, 0x2c, 0x8b, 0xda, 0xa3, 0x8d, 0x91, 0x47,
 	0x79, 0x17, 0x77, 0xee, 0xc5, 0x7f, 0x42, 0x32, 0x7a, 0x06, 0x8d, 0x78, 0x18, 0xa1, 0x59, 0xb3,
 	0xbf, 0xf3, 0xe8, 0x73, 0x80, 0xdb, 0xe5, 0xe6, 0xb1, 0x9d, 0xf8, 0x58, 0xb0, 0xff, 0x8f, 0xd0,
 	0xda, 0xb1, 0xe6, 0xbc, 0xca, 0x20, 0x3e, 0x96, 0xd9, 0xe2, 0x2d, 0x1c, 0xe5, 0xae, 0x0f, 0xea,
 	0xc6, 0xdc, 0xe2, 0x7b, 0x95, 0xef, 0xe6, 0x32, 0xb6, 0x6a, 0x46, 0x24, 0x57, 0x8f, 0x9e, 0xed,
 	0xaa, 0x70, 0xa7, 0x1f, 0xe0, 0xa4, 0xa8, 0xda, 0xbc, 0xd4, 0xe3, 0xbb, 0x5a, 0x4b, 0xc4, 0x5e,
 	0xc0, 0xff, 0xca, 0x02, 0xe8, 0x38, 0x69, 0xe6, 0xf6, 0x12, 0x77, 0x4e, 0xb2, 0xc1, 0x88, 0xf2,
 	0x09, 0x9a, 0x79, 0xbf, 0xa1, 0x5e, 0x1a, 0x59, 0x34, 0x8c, 0xfe, 0x6e, 0x40, 0x24, 0xfb, 0x1e,
 	0x0e, 0x53, 0x8e, 0x44, 0xc9, 0x7e, 0xb7, 0xdf, 0x81, 0xce, 0x83, 0xc2, 0x7f, 0x91, 0xce, 0x00,
 	0x6a, 0xe6, 0x8a, 0xd8, 0x5e, 0xe0, 0xdf, 0x6d, 0xaf, 0x77, 0x17, 0xbf, 0xd6, 0x5d, 0xed, 0xf7,
 	0xba, 0xab, 0xfd, 0x59, 0x77, 0xb5, 0x1f, 0x7f, 0xbb, 0xff, 0x7d, 0x1e, 0x3b, 0x54, 0x2e, 0x83,
 	0xf9, 0x08, 0x33, 0xd7, 0x58, 0xda, 0x62, 0x49, 0x31, 0xe3, 0xbe, 0x7a, 0xc6, 0x45, 0xb0, 0x32,
 	0x76, 0xbc, 0xe9, 0xf3, 0x6a, 0xf8, 0x96, 0x8f, 0xff, 0x05, 0x00, 0x00, 0xff, 0xff, 0x7b, 0x20,
 	0xb4, 0xe4, 0xf5, 0x05, 0x00, 0x00,
 }
--- a/agent/connect/ca/plugin/provider.proto
+++ b/agent/connect/ca/plugin/provider.proto
@ -30,10 +30,8 @@ service CA {
 message ConfigureRequest {
    string cluster_id = 1;
-    string datacenter_name = 2;
+    bool is_root = 2;
-    string dns_domain = 3;
+    bytes config = 3; // JSON-encoded structure
    bool is_root = 4;
    bytes config = 5; // JSON-encoded structure
 }
 message SetIntermediateRequest {
--- a/agent/connect/ca/plugin/transport_grpc.go
+++ b/agent/connect/ca/plugin/transport_grpc.go
@ -20,7 +20,7 @@ func (p *providerPluginGRPCServer) Configure(_ context.Context, req *ConfigureRe
 		return nil, err
 	}
-	return &Empty{}, p.impl.Configure(req.ClusterId, req.DatacenterName, req.DnsDomain, req.IsRoot, rawConfig)
+	return &Empty{}, p.impl.Configure(req.ClusterId, req.IsRoot, rawConfig)
 }
 func (p *providerPluginGRPCServer) GenerateRoot(context.Context, *Empty) (*Empty, error) {
@ -95,8 +95,6 @@ type providerPluginGRPCClient struct {
 func (p *providerPluginGRPCClient) Configure(
 	clusterId string,
 	datacenterName string,
 	dnsDomain string,
 	isRoot bool,
 	rawConfig map[string]interface{}) error {
 	config, err := json.Marshal(rawConfig)
@ -106,8 +104,6 @@ func (p *providerPluginGRPCClient) Configure(
 	_, err = p.client.Configure(p.doneCtx, &ConfigureRequest{
 		ClusterId: clusterId,
 		DatacenterName: datacenterName,
 		DnsDomain:      dnsDomain,
 		IsRoot:    isRoot,
 		Config:    config,
 	})
--- a/agent/connect/ca/plugin/transport_netrpc.go
+++ b/agent/connect/ca/plugin/transport_netrpc.go
@ -15,7 +15,7 @@ type providerPluginRPCServer struct {
 }
 func (p *providerPluginRPCServer) Configure(args *ConfigureRPCRequest, _ *struct{}) error {
-	return p.impl.Configure(args.ClusterId, args.DatacenterName, args.DNSDomain, args.IsRoot, args.RawConfig)
+	return p.impl.Configure(args.ClusterId, args.IsRoot, args.RawConfig)
 }
 func (p *providerPluginRPCServer) GenerateRoot(struct{}, *struct{}) error {
@ -95,14 +95,10 @@ type providerPluginRPCClient struct {
 func (p *providerPluginRPCClient) Configure(
 	clusterId string,
 	datacenterName string,
 	dnsDomain string,
 	isRoot bool,
 	rawConfig map[string]interface{}) error {
 	return p.client.Call("Plugin.Configure", &ConfigureRPCRequest{
 		ClusterId: clusterId,
 		DatacenterName: datacenterName,
 		DNSDomain:      dnsDomain,
 		IsRoot:    isRoot,
 		RawConfig: rawConfig,
 	}, &struct{}{})
@ -179,8 +175,6 @@ var _ ca.Provider = &providerPluginRPCClient{}
 type ConfigureRPCRequest struct {
 	ClusterId string
 	DatacenterName string
 	DNSDomain      string
 	IsRoot    bool
 	RawConfig map[string]interface{}
 }
--- a/agent/connect/ca/provider.go
+++ b/agent/connect/ca/provider.go
@ -12,8 +12,7 @@ import (
 type Provider interface {
 	// Configure initializes the provider based on the given cluster ID, root status
 	// and configuration values.
-	Configure(clusterId string, datacenterName string, dnsDomain string,
+	Configure(clusterId string, isRoot bool, rawConfig map[string]interface{}) error
 		isRoot bool, rawConfig map[string]interface{}) error
 	// GenerateRoot causes the creation of a new root certificate for this provider.
 	// This can also be a no-op if a root certificate already exists for the given
--- a/agent/connect/ca/provider_consul.go
+++ b/agent/connect/ca/provider_consul.go
@ -28,8 +28,6 @@ type ConsulProvider struct {
 	config    *structs.ConsulCAProviderConfig
 	id        string
 	clusterID string
 	dcName    string
 	domain    string
 	isRoot    bool
 	spiffeID  *connect.SpiffeIDSigning
@ -42,8 +40,7 @@ type ConsulProviderStateDelegate interface {
 }
 // Configure sets up the provider using the given configuration.
-func (c *ConsulProvider) Configure(clusterID string, datacenterName string, dnsDomain string,
+func (c *ConsulProvider) Configure(clusterID string, isRoot bool, rawConfig map[string]interface{}) error {
 	isRoot bool, rawConfig map[string]interface{}) error {
 	// Parse the raw config and update our ID.
 	config, err := ParseConsulCAConfig(rawConfig)
 	if err != nil {
@ -52,15 +49,9 @@ func (c *ConsulProvider) Configure(clusterID string, datacenterName string, dnsD
 	c.config = config
 	hash := sha256.Sum256([]byte(fmt.Sprintf("%s,%s,%v", config.PrivateKey, config.RootCert, isRoot)))
 	c.id = strings.Replace(fmt.Sprintf("% x", hash), " ", ":", -1)
 	c.clusterID = clusterID
 	c.isRoot = isRoot
 	c.spiffeID = connect.SpiffeIDSigningForCluster(&structs.CAConfiguration{ClusterID: clusterID})
 	c.dcName = datacenterName
 	c.domain = dnsDomain
 	c.clusterID = clusterID
 	if len(c.clusterID) > 8 {
 		c.clusterID = c.clusterID[:8]
 	}
 	// Exit early if the state store has an entry for this provider's config.
 	_, providerState, err := c.Delegate.State().CAProviderState(c.id)
@ -198,8 +189,7 @@ func (c *ConsulProvider) GenerateIntermediateCSR() (string, error) {
 		return "", err
 	}
-	commonName := fmt.Sprintf("intermediate.ca.%s.%s.%s", c.clusterID, c.dcName, c.domain)
+	csr, err := connect.CreateCACSR(c.spiffeID, signer)
 	csr, err := connect.CreateCACSR(c.spiffeID, commonName, signer)
 	if err != nil {
 		return "", err
 	}
@ -354,22 +344,22 @@ func (c *ConsulProvider) Sign(csr *x509.CertificateRequest) (string, error) {
 		return "", err
 	}
-	//// Parse the SPIFFE ID
+	// Parse the SPIFFE ID
-	//spiffeId, err := connect.ParseCertURI(csr.URIs[0])
+	spiffeId, err := connect.ParseCertURI(csr.URIs[0])
-	//if err != nil {
+	if err != nil {
-	//	return "", err
+		return "", err
-	//}
+	}
 	subject := ""
 	switch id := spiffeId.(type) {
 	case *connect.SpiffeIDService:
 		subject = id.Service
 	case *connect.SpiffeIDAgent:
 		subject = id.Agent
 	default:
 		return "", fmt.Errorf("SPIFFE ID in CSR must be a service ID")
 	}
 	//subjectName := ""
 	//switch id := spiffeId.(type) {
 	//case *connect.SpiffeIDService:
 	//	subjectName = fmt.Sprintf("%s.%s.service.%s.%s", id.Host, id.Service, id.Datacenter, c.domain)
 	//case *connect.SpiffeIDAgent:
 	//	subjectName = fmt.Sprintf("%s.agent.%s.%s", id.Agent, id.Datacenter, c.domain)
 	//default:
 	//	return "", fmt.Errorf("SPIFFE ID in CSR must be a service ID")
 	//}
 	//
 	// Parse the CA cert
 	certPEM, err := c.ActiveIntermediate()
 	if err != nil {
@ -389,7 +379,7 @@ func (c *ConsulProvider) Sign(csr *x509.CertificateRequest) (string, error) {
 	effectiveNow := time.Now().Add(-1 * time.Minute)
 	template := x509.Certificate{
 		SerialNumber:          sn,
-		Subject:               csr.Subject,
+		Subject:               pkix.Name{CommonName: subject},
 		URIs:                  csr.URIs,
 		Signature:             csr.Signature,
 		SignatureAlgorithm:    csr.SignatureAlgorithm,
@ -627,7 +617,7 @@ func (c *ConsulProvider) generateCA(privateKey string, sn uint64) (string, error
 		return "", fmt.Errorf("error parsing private key %q: %s", privateKey, err)
 	}
-	commonName := fmt.Sprintf("root.ca.%s.%s.%s", c.clusterID, c.dcName, c.domain)
+	name := fmt.Sprintf("Consul CA %d", sn)
 	// The URI (SPIFFE compatible) for the cert
 	id := connect.SpiffeIDSigningForCluster(config)
@ -641,7 +631,7 @@ func (c *ConsulProvider) generateCA(privateKey string, sn uint64) (string, error
 	serialNum.SetUint64(sn)
 	template := x509.Certificate{
 		SerialNumber:          serialNum,
-		Subject:               pkix.Name{CommonName: commonName},
+		Subject:               pkix.Name{CommonName: name},
 		URIs:                  []*url.URL{id.URI()},
 		BasicConstraintsValid: true,
 		KeyUsage: x509.KeyUsageCertSign |
--- a/agent/connect/ca/provider_consul_test.go
+++ b/agent/connect/ca/provider_consul_test.go
@ -79,7 +79,7 @@ func TestConsulCAProvider_Bootstrap(t *testing.T) {
 	delegate := newMockDelegate(t, conf)
 	provider := &ConsulProvider{Delegate: delegate}
-	require.NoError(provider.Configure(conf.ClusterID, "dc1", "consul", true, conf.Config))
+	require.NoError(provider.Configure(conf.ClusterID, true, conf.Config))
 	require.NoError(provider.GenerateRoot())
 	root, err := provider.ActiveRoot()
@ -110,7 +110,7 @@ func TestConsulCAProvider_Bootstrap_WithCert(t *testing.T) {
 	delegate := newMockDelegate(t, conf)
 	provider := &ConsulProvider{Delegate: delegate}
-	require.NoError(provider.Configure(conf.ClusterID, "dc1", "consul", true, conf.Config))
+	require.NoError(provider.Configure(conf.ClusterID, true, conf.Config))
 	require.NoError(provider.GenerateRoot())
 	root, err := provider.ActiveRoot()
@ -127,7 +127,7 @@ func TestConsulCAProvider_SignLeaf(t *testing.T) {
 	delegate := newMockDelegate(t, conf)
 	provider := &ConsulProvider{Delegate: delegate}
-	require.NoError(provider.Configure(conf.ClusterID, "dc1", "consul", true, conf.Config))
+	require.NoError(provider.Configure(conf.ClusterID, true, conf.Config))
 	require.NoError(provider.GenerateRoot())
 	spiffeService := &connect.SpiffeIDService{
@ -139,7 +139,7 @@ func TestConsulCAProvider_SignLeaf(t *testing.T) {
 	// Generate a leaf cert for the service.
 	{
-		raw, _ := connect.TestCSR(t, spiffeService, "node1.foo.service.dc1.consul.")
+		raw, _ := connect.TestCSR(t, spiffeService)
 		csr, err := connect.ParseCSR(raw)
 		require.NoError(err)
@ -149,8 +149,8 @@ func TestConsulCAProvider_SignLeaf(t *testing.T) {
 		parsed, err := connect.ParseCert(cert)
 		require.NoError(err)
-		require.Equal(spiffeService.URI(), parsed.URIs[0])
+		require.Equal(parsed.URIs[0], spiffeService.URI())
-		require.Equal("node1.foo.service.dc1.consul.", parsed.Subject.CommonName)
+		require.Equal(parsed.Subject.CommonName, "foo")
 		require.Equal(uint64(2), parsed.SerialNumber.Uint64())
 		// Ensure the cert is valid now and expires within the correct limit.
@ -163,7 +163,7 @@ func TestConsulCAProvider_SignLeaf(t *testing.T) {
 	// the serial number is incremented.
 	spiffeService.Service = "bar"
 	{
-		raw, _ := connect.TestCSR(t, spiffeService, "node1.bar.service.dc1.consul.")
+		raw, _ := connect.TestCSR(t, spiffeService)
 		csr, err := connect.ParseCSR(raw)
 		require.NoError(err)
@ -173,8 +173,8 @@ func TestConsulCAProvider_SignLeaf(t *testing.T) {
 		parsed, err := connect.ParseCert(cert)
 		require.NoError(err)
-		require.Equal(spiffeService.URI(), parsed.URIs[0])
+		require.Equal(parsed.URIs[0], spiffeService.URI())
-		require.Equal("node1.bar.service.dc1.consul.", parsed.Subject.CommonName)
+		require.Equal(parsed.Subject.CommonName, "bar")
 		require.Equal(parsed.SerialNumber.Uint64(), uint64(2))
 		// Ensure the cert is valid now and expires within the correct limit.
@ -189,7 +189,7 @@ func TestConsulCAProvider_SignLeaf(t *testing.T) {
 	}
 	// Generate a leaf cert for an agent.
 	{
-		raw, _ := connect.TestCSR(t, spiffeAgent, "uuid.agent.dc1.consul.")
+		raw, _ := connect.TestCSR(t, spiffeAgent)
 		csr, err := connect.ParseCSR(raw)
 		require.NoError(err)
@ -200,7 +200,7 @@ func TestConsulCAProvider_SignLeaf(t *testing.T) {
 		parsed, err := connect.ParseCert(cert)
 		require.NoError(err)
 		require.Equal(spiffeAgent.URI(), parsed.URIs[0])
-		require.Equal("uuid.agent.dc1.consul.", parsed.Subject.CommonName)
+		require.Equal("uuid", parsed.Subject.CommonName)
 		require.Equal(uint64(2), parsed.SerialNumber.Uint64())
 		// Ensure the cert is valid now and expires within the correct limit.
@ -218,14 +218,14 @@ func TestConsulCAProvider_CrossSignCA(t *testing.T) {
 	conf1 := testConsulCAConfig()
 	delegate1 := newMockDelegate(t, conf1)
 	provider1 := &ConsulProvider{Delegate: delegate1}
-	require.NoError(provider1.Configure(conf1.ClusterID, "dc1", "consul", true, conf1.Config))
+	require.NoError(provider1.Configure(conf1.ClusterID, true, conf1.Config))
 	require.NoError(provider1.GenerateRoot())
 	conf2 := testConsulCAConfig()
 	conf2.CreateIndex = 10
 	delegate2 := newMockDelegate(t, conf2)
 	provider2 := &ConsulProvider{Delegate: delegate2}
-	require.NoError(provider2.Configure(conf2.ClusterID, "dc2", "consul", true, conf2.Config))
+	require.NoError(provider2.Configure(conf2.ClusterID, true, conf2.Config))
 	require.NoError(provider2.GenerateRoot())
 	testCrossSignProviders(t, provider1, provider2)
@ -274,7 +274,7 @@ func testCrossSignProviders(t *testing.T, provider1, provider2 Provider) {
 		Datacenter: "dc1",
 		Service:    "foo",
 	}
-	raw, _ := connect.TestCSR(t, spiffeService, "node1.foo.service.dc1.consul.")
+	raw, _ := connect.TestCSR(t, spiffeService)
 	leafCsr, err := connect.ParseCSR(raw)
 	require.NoError(err)
@ -310,14 +310,14 @@ func TestConsulProvider_SignIntermediate(t *testing.T) {
 	conf1 := testConsulCAConfig()
 	delegate1 := newMockDelegate(t, conf1)
 	provider1 := &ConsulProvider{Delegate: delegate1}
-	require.NoError(provider1.Configure(conf1.ClusterID, "dc1", "consul", true, conf1.Config))
+	require.NoError(provider1.Configure(conf1.ClusterID, true, conf1.Config))
 	require.NoError(provider1.GenerateRoot())
 	conf2 := testConsulCAConfig()
 	conf2.CreateIndex = 10
 	delegate2 := newMockDelegate(t, conf2)
 	provider2 := &ConsulProvider{Delegate: delegate2}
-	require.NoError(provider2.Configure(conf2.ClusterID, "dc1", "consul", false, conf2.Config))
+	require.NoError(provider2.Configure(conf2.ClusterID, false, conf2.Config))
 	testSignIntermediateCrossDC(t, provider1, provider2)
 }
@ -347,7 +347,7 @@ func testSignIntermediateCrossDC(t *testing.T, provider1, provider2 Provider) {
 		Datacenter: "dc1",
 		Service:    "foo",
 	}
-	raw, _ := connect.TestCSR(t, spiffeService, "node1.foo.service.dc1.consul.")
+	raw, _ := connect.TestCSR(t, spiffeService)
 	leafCsr, err := connect.ParseCSR(raw)
 	require.NoError(err)
@ -392,7 +392,7 @@ func TestConsulCAProvider_MigrateOldID(t *testing.T) {
 	require.NotNil(providerState)
 	provider := &ConsulProvider{Delegate: delegate}
-	require.NoError(provider.Configure(conf.ClusterID, "dc1", "consul", true, conf.Config))
+	require.NoError(provider.Configure(conf.ClusterID, true, conf.Config))
 	require.NoError(provider.GenerateRoot())
 	// After running Configure, the old ID entry should be gone.
--- a/agent/connect/ca/provider_vault.go
+++ b/agent/connect/ca/provider_vault.go
@ -25,9 +25,7 @@ type VaultProvider struct {
 	config    *structs.VaultCAProviderConfig
 	client    *vaultapi.Client
 	isRoot    bool
-	clusterID string
+	clusterId string
 	dcName    string
 	domain    string
 }
 func vaultTLSConfig(config *structs.VaultCAProviderConfig) *vaultapi.TLSConfig {
@ -42,8 +40,7 @@ func vaultTLSConfig(config *structs.VaultCAProviderConfig) *vaultapi.TLSConfig {
 }
 // Configure sets up the provider using the given configuration.
-func (v *VaultProvider) Configure(clusterId string, datacenterName string, dnsDomain string,
+func (v *VaultProvider) Configure(clusterId string, isRoot bool, rawConfig map[string]interface{}) error {
 	isRoot bool, rawConfig map[string]interface{}) error {
 	config, err := ParseVaultCAConfig(rawConfig)
 	if err != nil {
 		return err
@ -65,13 +62,7 @@ func (v *VaultProvider) Configure(clusterId string, datacenterName string, dnsDo
 	v.config = config
 	v.client = client
 	v.isRoot = isRoot
-	v.dcName = datacenterName
+	v.clusterId = clusterId
 	v.domain = dnsDomain
 	v.clusterID = clusterId
 	if len(v.clusterID) > 8 {
 		v.clusterID = v.clusterID[:8]
 	}
 	return nil
 }
@ -105,10 +96,13 @@ func (v *VaultProvider) GenerateRoot() error {
 		fallthrough
 	case ErrBackendNotInitialized:
-		uuid, _ := uuid.GenerateUUID()
+		spiffeID := connect.SpiffeIDSigning{ClusterID: v.clusterId, Domain: "consul"}
-		spiffeID := connect.SpiffeIDSigning{ClusterID: v.clusterID, Domain: v.domain}
+		uuid, err := uuid.GenerateUUID()
 		if err != nil {
 			return err
 		}
 		_, err = v.client.Logical().Write(v.config.RootPKIPath+"root/generate/internal", map[string]interface{}{
-			"common_name": fmt.Sprintf("%s.root.ca.%s.%s.%s", uuid[:8], v.clusterID, v.dcName, v.domain),
+			"common_name": fmt.Sprintf("Vault CA Root Authority %s", uuid),
 			"uri_sans":    spiffeID.URI().String(),
 			"key_type":    v.config.PrivateKeyType,
 			"key_bits":    v.config.PrivateKeyBits,
@ -164,11 +158,10 @@ func (v *VaultProvider) generateIntermediateCSR() (string, error) {
 	if err != nil {
 		return "", err
 	}
-	spiffeID := connect.SpiffeIDSigning{ClusterID: v.clusterID, Domain: "consul"}
+	spiffeID := connect.SpiffeIDSigning{ClusterID: v.clusterId, Domain: "consul"}
 	if role == nil {
 		_, err := v.client.Logical().Write(rolePath, map[string]interface{}{
 			"allow_any_name":   true,
 			"enforce_hostnames": false,
 			"allowed_uri_sans": "spiffe://*",
 			"key_type":         "any",
 			"max_ttl":          v.config.LeafCertTTL.String(),
@ -181,9 +174,8 @@ func (v *VaultProvider) generateIntermediateCSR() (string, error) {
 	}
 	// Generate a new intermediate CSR for the root to sign.
 	uuid, _ := uuid.GenerateUUID()
 	data, err := v.client.Logical().Write(v.config.IntermediatePKIPath+"intermediate/generate/internal", map[string]interface{}{
-		"common_name": fmt.Sprintf("%s.intermediate.ca.%s.%s.%s", uuid[:8], v.clusterID, v.dcName, v.domain),
+		"common_name": "Vault CA Intermediate Authority",
 		"key_type":    v.config.PrivateKeyType,
 		"key_bits":    v.config.PrivateKeyBits,
 		"uri_sans":    spiffeID.URI().String(),
--- a/agent/connect/ca/provider_vault_test.go
+++ b/agent/connect/ca/provider_vault_test.go
@ -48,7 +48,7 @@ func testVaultClusterWithConfig(t *testing.T, isRoot bool, rawConf map[string]in
 	require := require.New(t)
 	provider := &VaultProvider{}
-	require.NoError(provider.Configure("asdf", "dc1", "consul", isRoot, conf))
+	require.NoError(provider.Configure("asdf", isRoot, conf))
 	if isRoot {
 		require.NoError(provider.GenerateRoot())
 		_, err := provider.GenerateIntermediate()
@ -120,7 +120,7 @@ func TestVaultCAProvider_Bootstrap(t *testing.T) {
 		require.NoError(err)
 		require.True(parsed.IsCA)
 		require.Len(parsed.URIs, 1)
-		require.Equal(parsed.URIs[0].String(), fmt.Sprintf("spiffe://%s.consul", provider.clusterID))
+		require.Equal(parsed.URIs[0].String(), fmt.Sprintf("spiffe://%s.consul", provider.clusterId))
 	}
 }
@ -149,7 +149,7 @@ func TestVaultCAProvider_SignLeaf(t *testing.T) {
 	// Generate a leaf cert for the service.
 	var firstSerial uint64
 	{
-		raw, _ := connect.TestCSR(t, spiffeService, "node1.foo.service.dc1.consul.")
+		raw, _ := connect.TestCSR(t, spiffeService)
 		csr, err := connect.ParseCSR(raw)
 		require.NoError(err)
@ -159,7 +159,7 @@ func TestVaultCAProvider_SignLeaf(t *testing.T) {
 		parsed, err := connect.ParseCert(cert)
 		require.NoError(err)
-		require.Equal(spiffeService.URI(), parsed.URIs[0])
+		require.Equal(parsed.URIs[0], spiffeService.URI())
 		firstSerial = parsed.SerialNumber.Uint64()
 		// Ensure the cert is valid now and expires within the correct limit.
@ -172,7 +172,7 @@ func TestVaultCAProvider_SignLeaf(t *testing.T) {
 	// the serial number is unique.
 	spiffeService.Service = "bar"
 	{
-		raw, _ := connect.TestCSR(t, spiffeService, "node1.bar.service.dc1.consul.")
+		raw, _ := connect.TestCSR(t, spiffeService)
 		csr, err := connect.ParseCSR(raw)
 		require.NoError(err)
@ -182,7 +182,7 @@ func TestVaultCAProvider_SignLeaf(t *testing.T) {
 		parsed, err := connect.ParseCert(cert)
 		require.NoError(err)
-		require.Equal(spiffeService.URI(), parsed.URIs[0])
+		require.Equal(parsed.URIs[0], spiffeService.URI())
 		require.NotEqual(firstSerial, parsed.SerialNumber.Uint64())
 		// Ensure the cert is valid now and expires within the correct limit.
@ -233,7 +233,7 @@ func TestVaultProvider_SignIntermediateConsul(t *testing.T) {
 		conf := testConsulCAConfig()
 		delegate := newMockDelegate(t, conf)
 		provider2 := &ConsulProvider{Delegate: delegate}
-		require.NoError(provider2.Configure(conf.ClusterID, "dc2", "consul", false, conf.Config))
+		require.NoError(provider2.Configure(conf.ClusterID, false, conf.Config))
 		testSignIntermediateCrossDC(t, provider1, provider2)
 	}
@ -243,7 +243,7 @@ func TestVaultProvider_SignIntermediateConsul(t *testing.T) {
 		conf := testConsulCAConfig()
 		delegate := newMockDelegate(t, conf)
 		provider1 := &ConsulProvider{Delegate: delegate}
-		require.NoError(provider1.Configure(conf.ClusterID, "dc1", "consul", true, conf.Config))
+		require.NoError(provider1.Configure(conf.ClusterID, true, conf.Config))
 		require.NoError(provider1.GenerateRoot())
 		provider2, core, listener := testVaultClusterWithConfig(t, false, nil)
--- a/agent/connect/csr.go
+++ b/agent/connect/csr.go
@ -13,9 +13,8 @@ import (
 // CreateCSR returns a CSR to sign the given service along with the PEM-encoded
 // private key for this certificate.
-func CreateCSR(uri CertURI, commonName string, privateKey crypto.Signer, extensions ...pkix.Extension) (string, error) {
+func CreateCSR(uri CertURI, privateKey crypto.Signer, extensions ...pkix.Extension) (string, error) {
 	template := &x509.CertificateRequest{
 		Subject:            pkix.Name{CommonName: commonName},
 		URIs:               []*url.URL{uri.URI()},
 		SignatureAlgorithm: x509.ECDSAWithSHA256,
 		ExtraExtensions:    extensions,
@ -38,13 +37,13 @@ func CreateCSR(uri CertURI, commonName string, privateKey crypto.Signer, extensi
 // CreateCSR returns a CA CSR to sign the given service along with the PEM-encoded
 // private key for this certificate.
-func CreateCACSR(uri CertURI, commonName string, privateKey crypto.Signer) (string, error) {
+func CreateCACSR(uri CertURI, privateKey crypto.Signer) (string, error) {
 	ext, err := CreateCAExtension()
 	if err != nil {
 		return "", err
 	}
-	return CreateCSR(uri, commonName, privateKey, ext)
+	return CreateCSR(uri, privateKey, ext)
 }
 // CreateCAExtension creates a pkix.Extension for the x509 Basic Constraints
--- a/agent/connect/testing_ca.go
+++ b/agent/connect/testing_ca.go
@ -227,9 +227,8 @@ func TestLeaf(t testing.T, service string, root *structs.CARoot) (string, string
 // TestCSR returns a CSR to sign the given service along with the PEM-encoded
 // private key for this certificate.
-func TestCSR(t testing.T, uri CertURI, commonName string) (string, string) {
+func TestCSR(t testing.T, uri CertURI) (string, string) {
 	template := &x509.CertificateRequest{
 		Subject:            pkix.Name{CommonName: commonName},
 		URIs:               []*url.URL{uri.URI()},
 		SignatureAlgorithm: x509.ECDSAWithSHA256,
 	}
--- a/agent/consul/auto_encrypt.go
+++ b/agent/consul/auto_encrypt.go
@ -65,8 +65,7 @@ func (c *Client) RequestAutoEncryptCerts(servers []string, port int, token strin
 	}
 	// Create a CSR.
-	commonName := fmt.Sprintf("%s.agent.%s.%s", id.Agent, id.Datacenter, c.config.Domain)
+	csr, err := connect.CreateCSR(id, pk)
 	csr, err := connect.CreateCSR(id, commonName, pk)
 	if err != nil {
 		return errFn(err)
 	}
--- a/agent/consul/auto_encrypt_endpoint_test.go
+++ b/agent/consul/auto_encrypt_endpoint_test.go
@ -69,14 +69,13 @@ func TestAutoEncryptSign(t *testing.T) {
 				Datacenter: "dc1",
 				Agent:      "uuid",
 			}
 			commonName := fmt.Sprintf("%s.agent.%s.%s", id.Agent, id.Datacenter, "consul")
 			// Create a new private key
 			pk, _, err := connect.GeneratePrivateKey()
 			require.NoError(t, err, info)
 			// Create a CSR.
-			csr, err := connect.CreateCSR(id, commonName, pk)
+			csr, err := connect.CreateCSR(id, pk)
 			require.NoError(t, err, info)
 			require.NotEmpty(t, csr, info)
 			args := &structs.CASignRequest{
--- a/agent/consul/connect_ca_endpoint.go
+++ b/agent/consul/connect_ca_endpoint.go
@ -176,7 +176,7 @@ func (s *ConnectCA) ConfigurationSet(
 	if err != nil {
 		return fmt.Errorf("could not initialize provider: %v", err)
 	}
-	if err := newProvider.Configure(args.Config.ClusterID, s.srv.config.Datacenter, s.srv.config.Domain, true, args.Config.Config); err != nil {
+	if err := newProvider.Configure(args.Config.ClusterID, true, args.Config.Config); err != nil {
 		return fmt.Errorf("error configuring provider: %v", err)
 	}
 	if err := newProvider.GenerateRoot(); err != nil {
--- a/agent/consul/connect_ca_endpoint_test.go
+++ b/agent/consul/connect_ca_endpoint_test.go
@ -246,7 +246,7 @@ func TestConnectCAConfig_TriggerRotation(t *testing.T) {
 	{
 		// Generate a CSR and request signing
 		spiffeId := connect.TestSpiffeIDService(t, "web")
-		csr, _ := connect.TestCSR(t, spiffeId, "node1.web.service.dc1.consul.")
+		csr, _ := connect.TestCSR(t, spiffeId)
 		args := &structs.CASignRequest{
 			Datacenter: "dc1",
 			CSR:        csr,
@ -309,7 +309,7 @@ func TestConnectCASign(t *testing.T) {
 	// Generate a CSR and request signing
 	spiffeId := connect.TestSpiffeIDService(t, "web")
-	csr, _ := connect.TestCSR(t, spiffeId, "node1.web.service.dc1.consul.")
+	csr, _ := connect.TestCSR(t, spiffeId)
 	args := &structs.CASignRequest{
 		Datacenter: "dc1",
 		CSR:        csr,
@ -319,7 +319,7 @@ func TestConnectCASign(t *testing.T) {
 	// Generate a second CSR and request signing
 	spiffeId2 := connect.TestSpiffeIDService(t, "web2")
-	csr, _ = connect.TestCSR(t, spiffeId2, "node1.web2.service.dc1.consul.")
+	csr, _ = connect.TestCSR(t, spiffeId2)
 	args = &structs.CASignRequest{
 		Datacenter: "dc1",
 		CSR:        csr,
@ -366,7 +366,7 @@ func BenchmarkConnectCASign(b *testing.B) {
 	// Generate a CSR and request signing
 	spiffeID := connect.TestSpiffeIDService(b, "web")
-	csr, _ := connect.TestCSR(b, spiffeID, "node1.web.service.dc1.consul.")
+	csr, _ := connect.TestCSR(b, spiffeID)
 	args := &structs.CASignRequest{
 		Datacenter: "dc1",
 		CSR:        csr,
@ -406,7 +406,7 @@ func TestConnectCASign_rateLimit(t *testing.T) {
 	// Generate a CSR and request signing a few times in a loop.
 	spiffeID := connect.TestSpiffeIDService(t, "web")
-	csr, _ := connect.TestCSR(t, spiffeID, "node1.web.service.dc1.consul.")
+	csr, _ := connect.TestCSR(t, spiffeID)
 	args := &structs.CASignRequest{
 		Datacenter: "dc1",
 		CSR:        csr,
@ -460,7 +460,7 @@ func TestConnectCASign_concurrencyLimit(t *testing.T) {
 	// Generate a CSR and request signing a few times in a loop.
 	spiffeID := connect.TestSpiffeIDService(t, "web")
-	csr, _ := connect.TestCSR(t, spiffeID, "node1.web.service.dc1.consul.")
+	csr, _ := connect.TestCSR(t, spiffeID)
 	args := &structs.CASignRequest{
 		Datacenter: "dc1",
 		CSR:        csr,
@ -625,7 +625,7 @@ func TestConnectCASignValidation(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			csr, _ := connect.TestCSR(t, tt.id, "")
+			csr, _ := connect.TestCSR(t, tt.id)
 			args := &structs.CASignRequest{
 				Datacenter:   "dc1",
 				CSR:          csr,
--- a/agent/consul/leader_connect.go
+++ b/agent/consul/leader_connect.go
@ -197,7 +197,7 @@ func (s *Server) initializeCA() error {
 // initializeRootCA runs the initialization logic for a root CA.
 func (s *Server) initializeRootCA(provider ca.Provider, conf *structs.CAConfiguration) error {
-	if err := provider.Configure(conf.ClusterID, s.config.Datacenter, s.config.Domain, true, conf.Config); err != nil {
+	if err := provider.Configure(conf.ClusterID, true, conf.Config); err != nil {
 		return fmt.Errorf("error configuring provider: %v", err)
 	}
 	if err := provider.GenerateRoot(); err != nil {
@ -750,7 +750,7 @@ func (s *Server) initializeSecondaryProvider(provider ca.Provider, roots structs
 		return err
 	}
-	if err := provider.Configure(clusterID, s.config.Datacenter, s.config.Domain, false, conf.Config); err != nil {
+	if err := provider.Configure(clusterID, false, conf.Config); err != nil {
 		return fmt.Errorf("error configuring provider: %v", err)
 	}
--- a/agent/consul/leader_connect_test.go
+++ b/agent/consul/leader_connect_test.go
@ -86,7 +86,7 @@ func TestLeader_SecondaryCA_Initialize(t *testing.T) {
 		Datacenter: "primary",
 		Service:    "foo",
 	}
-	raw, _ := connect.TestCSR(t, spiffeService, "node1.foo.service.primary.consul.")
+	raw, _ := connect.TestCSR(t, spiffeService)
 	leafCsr, err := connect.ParseCSR(raw)
 	require.NoError(err)
@ -216,7 +216,7 @@ func TestLeader_SecondaryCA_IntermediateRefresh(t *testing.T) {
 		Datacenter: "dc1",
 		Service:    "foo",
 	}
-	raw, _ := connect.TestCSR(t, spiffeService, "node1.foo.service.primary.consul.")
+	raw, _ := connect.TestCSR(t, spiffeService)
 	leafCsr, err := connect.ParseCSR(raw)
 	require.NoError(err)
@ -434,7 +434,7 @@ func TestLeader_SecondaryCA_UpgradeBeforePrimary(t *testing.T) {
 		Datacenter: "dc1",
 		Service:    "foo",
 	}
-	raw, _ := connect.TestCSR(t, spiffeService, "node1.foo.service.primary.consul.")
+	raw, _ := connect.TestCSR(t, spiffeService)
 	leafCsr, err := connect.ParseCSR(raw)
 	require.NoError(t, err)