(cert-manager) vault issuer: 'spec.renewBefore' and 'spec.duration'

I’m working to set ‘renewBefore’ and ‘duration’.

I used kyverno, which uses a MutatingAdmissionWebhook to apply the ‘renewBefore’ and ‘duration’, when the cert-manager Certificate resource was first created.

However, the status of the certificate does not reflect these values, instead it looks like its using a default of 90 days duration.

Someone suggested maybe the ‘vault’ provider doesn’t support these settings?

Leaving kyverno out of the equation, according to the cert-manager documentation, I should be able to use kubectl to edit the Certificate resource and change the ‘spec.duration’, and expect the certificates to reissue. (but they don’t)

How can I accomplish my goal? Can I set these defaults on the vault side? Can I set these defaults in the Certificate?

cert-manager: 1.14.6
vault: 1.15.4

Answering my own question:

My difficulties all arose around the fact that a secret with TLS certs existed and were valid so none of the changes to the certificate were getting rid of those, but once deleted everything worked as expected, when the certs were issued everything was as expected.