Add CR subject as iid default subject.

Add a minimal subject with just a common name to iid provisioners
in case we want to use it.

authority/provisioner/aws.go

@@ -290,14 +290,15 @@ func (p *AWS) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 	var so []SignOption
 	if p.DisableCustomSANs {
 		dnsName := fmt.Sprintf("ip-%s.%s.compute.internal", strings.Replace(doc.PrivateIP, ".", "-", -1), doc.Region)
-		data.SetSANs([]string{dnsName, doc.PrivateIP})
-
 		so = append(so, dnsNamesValidator([]string{dnsName}))
 		so = append(so, ipAddressesValidator([]net.IP{
 			net.ParseIP(doc.PrivateIP),
 		}))
 		so = append(so, emailAddressesValidator(nil))
 		so = append(so, urisValidator(nil))
+
+		// Template options
+		data.SetSANs([]string{dnsName, doc.PrivateIP})
 	}
 
 	templateOptions, err := CustomTemplateOptions(p.Options, data, x509util.DefaultIIDLeafTemplate)

authority/provisioner/gcp.go

@@ -221,6 +221,7 @@ func (p *GCP) AuthorizeSign(ctx context.Context, token string) ([]SignOption, er
 	// Template options
 	data := x509util.NewTemplateData()
 	data.SetToken(claims)
+	data.SetCommonName(ce.InstanceName)
 
 	// Enforce known common name and default DNS if configured.
 	// By default we we'll accept the CN and SANs in the CSR.

x509util/templates.go

@@ -78,7 +78,7 @@ const DefaultLeafTemplate = `{
 // The keyUsage "keyEncipherment" is special and it will be only used for RSA
 // keys.
 const DefaultIIDLeafTemplate = `{
-	"subject": {{ toJson .Subject }},
+	"subject": {{ toJson .CR.Subject }},
 	{{- if .SANs }}
 	"sans": {{ toJson .SANs }},
 	{{- else }}