MongoDB ReplicaSet TLS Issue Using Vault and Cert-Manager

Hi, I’m new to Vault. We have K8s clusters running MongoDB with the MongoDB operator. Vault has been configured as an intermediate CA outside of our clusters. Jetstack cert-manager has been configured to manage the certificates for MongoDB.
We are hitting an issue where cert-manager creates/updates a SAN certificate for our MongoDB replica-sets using Vault PKI. The TLS secret that is created includes the key/cert pair or the SAN cert, but also the intermediate CA certificate.
For some reason MongoDB attempts to use the CA cert as the TLS certificate and fails. It works later on if we remove the CA cert from the secret.
Is there a way to have Vault exclude the CA certificate from the response?
At the end of the day we need a TLS secret created via cert-manager and Vault the includes only the SAN cert key/cert pair.
Thanks

This sounds like a bug in MongoDB.

Including the intermediate CA in the resource created by cert-manager is a standard way used by lots of software to supply certificate chains needed for clients to correctly establish trust.

If you wanted to make a change, I think you’d need to do so in Jetstack cert-manager, as that’s what formats the certificates into the Kubernetes secret.

Thanks. That is what I thought.
I have a meeting with MongoDB later today to discuss. We are running MongoDB v5.x.
It is so far the only application with this issue.