diff --git a/cluster/clustercfg/certs/BUILD.bazel b/cluster/clustercfg/certs/BUILD.bazel
new file mode 100644
index 0000000..c115680
--- /dev/null
+++ b/cluster/clustercfg/certs/BUILD.bazel
@@ -0,0 +1,12 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+
+go_library(
+    name = "go_default_library",
+    srcs = [
+        "certs.go",
+        "generator.go",
+        "x509.go",
+    ],
+    importpath = "code.hackerspace.pl/hscloud/cluster/clustercfg/certs",
+    visibility = ["//visibility:public"],
+)
diff --git a/cluster/clustercfg/certs/certs.go b/cluster/clustercfg/certs/certs.go
new file mode 100644
index 0000000..7571717
--- /dev/null
+++ b/cluster/clustercfg/certs/certs.go
@@ -0,0 +1,288 @@
+package certs
+
+import (
+	"net"
+	"time"
+)
+
+// Certificates is the set of certificates required to run our Kubernetes
+// production.
+type Certificates struct {
+	CAs CAs
+
+	ProdviderIntermediateCA *Certificate
+
+	Global  Global
+	PerNode map[string]PerNode
+}
+
+type ensurer interface {
+	Ensure() error
+}
+
+// Ensure checks that all the Kubernetes production certificates and keys are
+// present on disk, generating them as necessary.
+//
+// If the user has not decrypted cluster/secrets, an error will be returned.
+// However, deeper sync checks are not currently performed.
+func (c *Certificates) Ensure() error {
+	sub := []ensurer{
+		&c.CAs,
+		c.ProdviderIntermediateCA,
+		&c.Global,
+	}
+	for _, pn := range c.PerNode {
+		sub = append(sub, &pn)
+	}
+	for _, s := range sub {
+		if err := s.Ensure(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// CAs are the root certificate authorities we use.
+type CAs struct {
+	// EtcdPeer is used by etcd member nodes to authenticate peers.
+	EtcdPeer *Certificate
+	// Etcd is used by etcd membrer nodes to authenticate clients (ie.
+	// kube-apiservers).
+	Etcd *Certificate
+	// Kube is the main Kubernetes 'identity' CA, used to identify components
+	// and users.
+	Kube *Certificate
+	// KubeFront is the proxy/aggregation CA used by external apiservices to
+	// authenticate incoming apiserver connections.
+	KubeFront *Certificate
+	// Admitomatic is the CA used by the admitomatic webhook to authenticate
+	// incoming apiserver connections.
+	Admitomatic *Certificate
+}
+
+func (c *CAs) Ensure() error {
+	sub := []ensurer{
+		c.EtcdPeer,
+		c.Etcd,
+		c.Kube,
+		c.KubeFront,
+		c.Admitomatic,
+	}
+	for _, s := range sub {
+		if err := s.Ensure(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+// Global are all the non-per-node certificates we use.
+type Global struct {
+	// EtcdKube is used by kubernetes apiservers to authenticate to etcd
+	// members.
+	EtcdKube *Certificate
+
+	// KubeApiserver is used by kubernetes apiservers to authenticate to other
+	// kubernetes components/users.
+	KubeApiserver *Certificate
+	// KubeControllerManager is used by kubernetes controller managers to
+	// authenticate to the kubernetes apiservers.
+	KubeControllerManager *Certificate
+	// KubeScheduler is used by the kubernetes schedulers to authenticate to
+	// the kubernetes apiservers.
+	KubeScheduler *Certificate
+
+	// KubefrontApiserver is used by the kubernetes apiserver to authenticate
+	// to external apiservices.
+	KubefrontApiserver *Certificate
+
+	// AdmitomaticWebhook is used by the admitomatic webhook to authenticate to
+	// the Kubernetes apiservers.
+	AdmitomaticWebhook *Certificate
+}
+
+func (g *Global) Ensure() error {
+	sub := []ensurer{
+		g.EtcdKube,
+		g.KubeApiserver,
+		g.KubeControllerManager,
+		g.KubeScheduler,
+		g.KubefrontApiserver,
+		g.AdmitomaticWebhook,
+	}
+	for _, s := range sub {
+		if err := s.Ensure(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func (c *Certificates) MakeKubeEmergencyCreds(root, breadcrumb string) *Certificate {
+	return &Certificate{
+		name:     "emergency",
+		duration: 7 * 24 * time.Hour,
+		root:     root,
+		kind:     kindClient,
+		cn:       "admin",
+		san:      []string{"admin", breadcrumb},
+		o:        "system:masters",
+		issuer:   c.CAs.Kube,
+	}
+}
+
+// Per node are all the per-node certificates we use.
+type PerNode struct {
+	// EtcdPeer is used by etcd members to authenticate to other etcd members.
+	EtcdPeer *Certificate
+	// EtcdClient is used by etcd members to authenticate to their clients.
+	EtcdClient *Certificate
+
+	// Kubelet is used by kubelets to authenticate to other kubernetes
+	// components.
+	Kubelet *Certificate
+}
+
+func (p *PerNode) Ensure() error {
+	sub := []ensurer{
+		p.EtcdPeer,
+		p.EtcdClient,
+		p.Kubelet,
+	}
+	for _, s := range sub {
+		if err := s.Ensure(); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func mkCA(root, name, cn string) *Certificate {
+	return &Certificate{
+		name: name,
+		root: root,
+		kind: kindCA,
+		cn:   cn,
+	}
+}
+
+// Prepare builds our Certificates structure at a given location on the
+// filesystem, for the given nodes.
+//
+// Calling Ensure() on the returned Certificates will actually engage
+// generation logic. Before that, no disk accesses are performed.
+func Prepare(root string, fqdns []string) Certificates {
+	certs := Certificates{
+		CAs: CAs{
+			EtcdPeer:    mkCA(root, "ca-etcdpeer", "etcd peer ca"),
+			Etcd:        mkCA(root, "ca-etcd", "etcd ca"),
+			Kube:        mkCA(root, "ca-kube", "kubernetes main CA"),
+			KubeFront:   mkCA(root, "ca-kubefront", "kubernetes frontend CA"),
+			Admitomatic: mkCA(root, "ca-admitomatic", "admitomatic webhook CA"),
+		},
+		PerNode: make(map[string]PerNode),
+	}
+
+	certs.ProdviderIntermediateCA = &Certificate{
+		name:   "ca-kube-prodvider",
+		root:   root,
+		kind:   kindProdvider,
+		cn:     "kubernetes prodvider intermediate",
+		issuer: certs.CAs.Kube,
+	}
+	certs.Global = Global{
+		EtcdKube: &Certificate{
+			name:   "etcd-kube",
+			root:   root,
+			kind:   kindClient,
+			cn:     "kube etcd client certificate",
+			san:    []string{"kube"},
+			issuer: certs.CAs.Etcd,
+		},
+		KubeApiserver: &Certificate{
+			name: "kube-apiserver",
+			root: root,
+			kind: kindClientServer,
+			cn:   "k0.hswaw.net",
+			san: []string{
+				"k0.hswaw.net",
+				"kubernetes.default.svc.k0.hswaw.net",
+			},
+			ips: []net.IP{
+				{10, 10, 12, 1},
+			},
+			issuer: certs.CAs.Kube,
+		},
+		KubeControllerManager: &Certificate{
+			name:   "kube-controllermanager",
+			root:   root,
+			kind:   kindClientServer,
+			cn:     "system:kube-controller-manager",
+			san:    []string{"system:kube-controller-manager"},
+			o:      "system:kube-controller-manager",
+			issuer: certs.CAs.Kube,
+		},
+		KubeScheduler: &Certificate{
+			name:   "kube-scheduler",
+			root:   root,
+			kind:   kindClientServer,
+			cn:     "system:kube-scheduler",
+			san:    []string{"system:kube-scheduler"},
+			o:      "system:kube-scheduler",
+			issuer: certs.CAs.Kube,
+		},
+		KubefrontApiserver: &Certificate{
+			name:   "kubefront-apiserver",
+			root:   root,
+			kind:   kindClientServer,
+			cn:     "Kubernetes Frontend",
+			san:    []string{"apiserver"},
+			issuer: certs.CAs.KubeFront,
+		},
+		AdmitomaticWebhook: &Certificate{
+			name:   "admitomatic-webhook",
+			root:   root,
+			kind:   kindServer,
+			cn:     "Admitomatic Webhook",
+			san:    []string{"admitomatic.admitomatic.svc"},
+			issuer: certs.CAs.Admitomatic,
+		},
+	}
+	for _, fqdn := range fqdns {
+		certs.PerNode[fqdn] = PerNode{
+			EtcdPeer: &Certificate{
+				name:   "etcdpeer-" + fqdn,
+				root:   root,
+				kind:   kindClientServer,
+				cn:     "node etcd peer certificate",
+				san:    []string{fqdn},
+				issuer: certs.CAs.EtcdPeer,
+			},
+			EtcdClient: &Certificate{
+				name: "etcd-" + fqdn,
+				root: root,
+				// etcd seems to need client too, as it's connecting to itself
+				// for... some reason?
+				// https://github.com/etcd-io/etcd/issues/9785
+				kind:   kindClientServer,
+				cn:     "node etcd server certificate",
+				san:    []string{fqdn},
+				issuer: certs.CAs.Etcd,
+			},
+			Kubelet: &Certificate{
+				name: "kube-kubelet-" + fqdn,
+				root: root,
+				kind: kindClientServer,
+				cn:   "system:node:" + fqdn,
+				o:    "system:nodes",
+				san: []string{
+					"system:node:" + fqdn,
+					fqdn,
+				},
+				issuer: certs.CAs.Kube,
+			},
+		}
+	}
+
+	return certs
+}
diff --git a/cluster/clustercfg/certs/generator.go b/cluster/clustercfg/certs/generator.go
new file mode 100644
index 0000000..7cd2c81
--- /dev/null
+++ b/cluster/clustercfg/certs/generator.go
@@ -0,0 +1,297 @@
+package certs
+
+import (
+	"bytes"
+	"crypto"
+	"crypto/ed25519"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"log"
+	"math/big"
+	"net"
+	"os"
+	"path/filepath"
+	"time"
+)
+
+// Certificate is a higher-level descriptor of an intent to generate a
+// certificate and corresponding Ed25519 keypair on disk.
+type Certificate struct {
+	// uniquer name for this cert, used to calculate filesystem paths.
+	name string
+	// root directory where all certs are stored.
+	root string
+	// duration used to determine TimeAfter. If not set, the certificate will
+	// never expire.
+	duration time.Duration
+
+	kind certificateKind
+
+	// cn is the subject common name that's going to be produced in the X.509
+	// certificate.
+	cn string
+	// o is the subject organziation that's going to be produced in the X.509
+	// certificate.
+	o string
+	// san are the DNS alternate names that are going to be produced in the
+	// X.509 certificate.
+	san []string
+	// ips are the IP alternate names that are going to be produced in the
+	// X.509 certificate.
+	ips []net.IP
+
+	// issuer, if set, is the certificate that will sign this certificate. If
+	// not set, the certificate will be self-signed.
+	issuer *Certificate
+}
+
+// Paths returns local filesystem paths to the CA certificate, certificate and
+// key respectively. If the certificate is self signed, the CA path returned
+// will be empty. These files might or might not live on the file system - you
+// should first call Ensure to make sure they do.
+func (c *Certificate) Paths() (caPath, certPath, keyPath string) {
+	if c.issuer != nil {
+		caPath = c.issuer.path(fileKindCert)
+	}
+	certPath = c.path(fileKindCert)
+	keyPath = c.path(fileKindKey)
+	return
+}
+
+type certificateKind string
+
+const (
+	kindServer       certificateKind = "server"
+	kindClient       certificateKind = "client"
+	kindClientServer certificateKind = "client-server"
+	kindCA           certificateKind = "ca"
+	kindProdvider    certificateKind = "prodvider"
+)
+
+type fileKind string
+
+const (
+	fileKindKey          fileKind = "key"
+	fileKindKeyEncrypted fileKind = "key-encrypted"
+	fileKindCert         fileKind = "cert"
+)
+
+// path returns the path to the generated fileKind for this Certificate.
+func (c *Certificate) path(k fileKind) string {
+	switch k {
+	case fileKindKeyEncrypted:
+		return filepath.Join(c.root, "secrets", "cipher", c.name+".key")
+	case fileKindKey:
+		return filepath.Join(c.root, "secrets", "plain", c.name+".key")
+	case fileKindCert:
+		// clustercfg.py compat: CA certs end in .crt, non-CA certs end in .cert.
+		// We're keeping this accidental convention to avoid spurious nix rebuilds
+		// when migrating.
+		//
+		// Feel free to fix it if it annoys you.
+		extension := ".cert"
+		if c.kind == kindCA {
+			extension = ".crt"
+		}
+		return filepath.Join(c.root, "certs", c.name+extension)
+	default:
+		panic("unexpected file kind type " + k)
+	}
+}
+
+// ensureKey loads or generates-then-saves the private key for this
+// Certificate.
+func (c *Certificate) ensureKey() (crypto.Signer, error) {
+	path := c.path(fileKindKey)
+	_, err := os.Stat(path)
+	switch {
+	case err == nil:
+		return c.loadKey()
+	case errors.Is(err, os.ErrNotExist):
+		epath := c.path(fileKindKeyEncrypted)
+		if _, err = os.Stat(epath); err == nil {
+			return nil, fmt.Errorf("plaintext key at %q not found, but exists encrypted at %q - please decrypt using secretstore", path, epath)
+		}
+		return c.generateKey()
+	default:
+		return nil, fmt.Errorf("could not read key: %w", err)
+	}
+}
+
+func (c *Certificate) loadKey() (crypto.Signer, error) {
+	path := c.path(fileKindKey)
+	bytes, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+	block, _ := pem.Decode(bytes)
+	if block == nil {
+		return nil, fmt.Errorf("no PEM block found")
+	}
+	if block.Type != "PRIVATE KEY" {
+		return nil, fmt.Errorf("unexpected PEM block: %q", block.Type)
+	}
+	key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+	if k, ok := key.(ed25519.PrivateKey); ok {
+		return k, nil
+	}
+	return nil, fmt.Errorf("not an ED25519 key")
+}
+
+func (c *Certificate) generateKey() (crypto.Signer, error) {
+	_, priv, err := ed25519.GenerateKey(rand.Reader)
+	if err != nil {
+		return nil, err
+	}
+
+	pkcs8, err := x509.MarshalPKCS8PrivateKey(priv)
+	if err != nil {
+		return nil, err
+	}
+
+	block := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: pkcs8})
+	path := c.path(fileKindKey)
+	os.MkdirAll(filepath.Dir(path), 0700)
+	log.Printf("Saving %s key to %s ...", c.name, path)
+	if err := os.WriteFile(path, block, 0600); err != nil {
+		return nil, err
+	}
+
+	return priv, nil
+}
+
+// ensureCert loads or generates-then-saves the X.509 certificate for the
+// Certificate.
+func (c *Certificate) ensureCert() (*x509.Certificate, error) {
+	path := c.path(fileKindCert)
+	_, err := os.Stat(path)
+	switch {
+	case err == nil:
+		cert, err := c.loadCert()
+		switch err {
+		case nil:
+			return cert, nil
+		case errExpired:
+			return c.generateCert()
+		default:
+			return nil, err
+		}
+	case errors.Is(err, os.ErrNotExist):
+		return c.generateCert()
+	default:
+		return nil, fmt.Errorf("could not read cert: %w", err)
+	}
+}
+
+func (c *Certificate) generateCert() (*x509.Certificate, error) {
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 127)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		return nil, err
+	}
+
+	notAfter := unknownNotAfter
+	if c.duration != 0 {
+		notAfter = time.Now().Add(c.duration)
+	}
+	template := c.template()
+	template.SerialNumber = serialNumber
+	template.NotBefore = time.Now()
+	template.NotAfter = notAfter
+
+	parent := template
+	skey, err := c.ensureKey()
+	if err != nil {
+		return nil, fmt.Errorf("when ensuring key: %w", err)
+	}
+	pkey := skey.Public()
+	caskey := skey
+	if c.issuer != nil {
+		caskey, err = c.issuer.ensureKey()
+		if err != nil {
+			return nil, fmt.Errorf("when ensuring CA key: %w", err)
+		}
+		cacert, err := c.issuer.ensureCert()
+		if err != nil {
+			return nil, fmt.Errorf("when ensuring CA cert: %w", err)
+		}
+		parent = cacert
+	}
+
+	bytes, err := x509.CreateCertificate(rand.Reader, template, parent, pkey, caskey)
+	if err != nil {
+		return nil, fmt.Errorf("issuing certificate failed: %w", err)
+	}
+
+	block := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: bytes})
+	path := c.path(fileKindCert)
+	os.MkdirAll(filepath.Dir(path), 0700)
+	log.Printf("Saving %s cert to %s ...", c.name, path)
+	if err := os.WriteFile(path, block, 0600); err != nil {
+		return nil, err
+	}
+
+	return x509.ParseCertificate(bytes)
+}
+
+// errExpired is returned if the cert exists on disk but has (nearly) expired.
+var errExpired = errors.New("certificate expired")
+
+func (c *Certificate) loadCert() (*x509.Certificate, error) {
+	path := c.path(fileKindCert)
+	b, err := os.ReadFile(path)
+	if err != nil {
+		return nil, err
+	}
+
+	block, _ := pem.Decode(b)
+	if block == nil {
+		return nil, fmt.Errorf("no PEM block found")
+	}
+	if block.Type != "CERTIFICATE" {
+		return nil, fmt.Errorf("unexpected PEM block: %q", block.Type)
+	}
+	cert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		return nil, err
+	}
+	if time.Now().Add(time.Hour).After(cert.NotAfter) {
+		return nil, errExpired
+	}
+	pkey, ok := cert.PublicKey.(ed25519.PublicKey)
+	if !ok {
+		return nil, fmt.Errorf("not a ED25519 cert")
+	}
+	skey, err := c.ensureKey()
+	if err != nil {
+		return nil, fmt.Errorf("when ensuring key: %w", err)
+	}
+	if !bytes.Equal(pkey, skey.Public().(ed25519.PublicKey)) {
+		return nil, fmt.Errorf("issued for different key")
+	}
+
+	template := c.template()
+	if err := compareCertData(template, cert); err != nil {
+		return nil, err
+	}
+	return cert, nil
+}
+
+// Ensure makes sure the given Certificate (and all of its' issuers) have
+// corresponding private keys and X.509 certificates on disk, generating things
+// as necessary.
+func (c *Certificate) Ensure() error {
+	cert, err := c.ensureCert()
+	if err != nil {
+		return fmt.Errorf("when ensuring cert %s: %w", c.name, err)
+	}
+	_ = cert
+
+	return nil
+}
diff --git a/cluster/clustercfg/certs/x509.go b/cluster/clustercfg/certs/x509.go
new file mode 100644
index 0000000..a64ec1a
--- /dev/null
+++ b/cluster/clustercfg/certs/x509.go
@@ -0,0 +1,98 @@
+package certs
+
+import (
+	"bytes"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"fmt"
+	"strings"
+	"time"
+)
+
+var (
+	// From RFC 5280 Section 4.1.2.5
+	unknownNotAfter = time.Unix(253402300799, 0)
+)
+
+// compareCertData returns an error if any of the 'important' bits of the two
+// certificates differ. Those are the bits that we template ourselves, and that
+// are not issue-dependent (ie. not time or serial or kid or ...).
+func compareCertData(template, cert *x509.Certificate) error {
+	if want, got := template.Subject.String(), cert.Subject.String(); want != got {
+		return fmt.Errorf("issued for different subject, wanted %s, got %s", want, got)
+	}
+	if want, got := strings.Join(template.DNSNames, ","), strings.Join(cert.DNSNames, ","); want != got {
+		return fmt.Errorf("issued for different DNS names, wanted %s, got %s", want, got)
+	}
+	if want, got := len(template.IPAddresses), len(cert.IPAddresses); want != got {
+		return fmt.Errorf("issued for different IP addresses, wanted %v, got %v", want, got)
+	} else {
+		for i := 0; i < len(template.IPAddresses); i++ {
+			if want, got := template.IPAddresses[i], cert.IPAddresses[i]; !bytes.Equal(want, got) {
+				return fmt.Errorf("issued for different IP addresses, wanted %v, got %v", want, got)
+			}
+		}
+	}
+	if want, got := template.KeyUsage, cert.KeyUsage; want != got {
+		return fmt.Errorf("issued for different key usage, wanted %d, got %d", want, got)
+	}
+	if want, got := len(template.ExtKeyUsage), len(cert.ExtKeyUsage); want != got {
+		return fmt.Errorf("issued for different ext key usage, wanted %v, got %v", want, got)
+	} else {
+		for i := 0; i < len(template.ExtKeyUsage); i++ {
+			if want, got := template.ExtKeyUsage[i], cert.ExtKeyUsage[i]; want != got {
+				return fmt.Errorf("issued for different ext key usage, wanted %v, got %v", want, got)
+			}
+		}
+	}
+	if want, got := template.IsCA, cert.IsCA; want != got {
+		return fmt.Errorf("issued for different IsCA, wanted %v, got %v", want, got)
+	}
+	if want, got := template.BasicConstraintsValid, cert.BasicConstraintsValid; want != got {
+		return fmt.Errorf("issued for different basic constraints valid, wanted %v, got %v", want, got)
+	}
+	return nil
+}
+
+// template builds an x509 'template' certificate, ie. makes an
+// x509.Certificate with all the fields built up from the data contained in
+// Certificate, but without any per-issue fields like times, serial number,
+// etc.
+func (c *Certificate) template() *x509.Certificate {
+	template := &x509.Certificate{
+		Subject: pkix.Name{
+			CommonName: c.cn,
+		},
+		DNSNames:    c.san,
+		IPAddresses: c.ips,
+	}
+	if c.o != "" {
+		template.Subject.Organization = []string{c.o}
+	}
+	switch c.kind {
+	case kindServer:
+		template.KeyUsage = x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment
+		template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}
+		template.DNSNames = c.san
+	case kindClient:
+		template.KeyUsage = x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment
+		template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}
+		template.DNSNames = c.san
+	case kindClientServer:
+		template.KeyUsage = x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment
+		template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth}
+	case kindCA:
+		template.IsCA = true
+		template.BasicConstraintsValid = true
+		template.KeyUsage = x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature
+		template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageOCSPSigning}
+		template.AuthorityKeyId = template.SubjectKeyId
+	case kindProdvider:
+		template.IsCA = true
+		template.BasicConstraintsValid = true
+		template.KeyUsage = x509.KeyUsageCertSign | x509.KeyUsageCRLSign | x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment
+		template.ExtKeyUsage = []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageOCSPSigning}
+		template.AuthorityKeyId = template.SubjectKeyId
+	}
+	return template
+}