FreeIPA + Vault PKI: Problems

I am trying to replace the CA in FreeIPA with an intermediate cert issued from vault PKI.

I have generated a CSR - within the CSR the organizationName and commonName fields are encoded as UTF8STRINGs.

I’m unable to sign the CSR via vault write to pki/root/sign-intermediate if i specify use_csr_values=“true”. The error message is: certificate 1 of certificate chain ca trust path is incorrect - and then quotes the CN/O utf8 field values in lower case).

If i do not use_csr_values=“true”, and instead provide the commonName and organization argumes with the exact values that match the CSR - the cert is signed/issued properly. However if i examine the resulting cert with openssl i can see that the CN/O values are encoded as printablestring not utf8string.

Since FreeIPA requires the encoding (and content) to match - it will not accept the issued certificate

I was hoping to find a way to get vault to respect the encoding from the CSR, or to control how vault encodes the CN/O values passed from the CLI (so i could specify utf8).

Does anyone have any suggestions for how this can be accomplished with vault PKI?