diff --git a/pkg/util/pki/csr_test.go b/pkg/util/pki/csr_test.go
index 5b76f4e1e..2c41ad37c 100644
--- a/pkg/util/pki/csr_test.go
+++ b/pkg/util/pki/csr_test.go
@@ -424,7 +424,7 @@ func TestGenerateCSR(t *testing.T) {
 						[]asn1.RawValue{
 							{Tag: nameTypeDNSName, Class: 2, Bytes: []byte("example.org")},
 						},
-						false,
+						true, // SAN is critical as the Subject is empty
 					),
 					{
 						Id:       OIDExtensionKeyUsage,
@@ -552,7 +552,7 @@ func TestGenerateCSR(t *testing.T) {
 					sansGenerator(
 						t,
 						[]asn1.RawValue{asn1otherNameUpnSANRawVal},
-						false,
+						true,
 					),
 					{
 						Id:       OIDExtensionKeyUsage,
@@ -591,7 +591,7 @@ func TestGenerateCSR(t *testing.T) {
 							asn1otherNameUpnSANRawVal,
 							asn1otherNamesAMAAccountNameRawVal,
 						},
-						false,
+						true,
 					),
 					{
 						Id:       OIDExtensionKeyUsage,
@@ -690,7 +690,7 @@ func TestGenerateCSR(t *testing.T) {
 						[]asn1.RawValue{
 							{Tag: nameTypeDNSName, Class: 2, Bytes: []byte("example.org")},
 						},
-						false,
+						true,
 					),
 					{
 						Id:       OIDExtensionKeyUsage,
@@ -720,7 +720,7 @@ func TestGenerateCSR(t *testing.T) {
 						[]asn1.RawValue{
 							{Tag: nameTypeDNSName, Class: 2, Bytes: []byte("example.org")},
 						},
-						false,
+						true,
 					),
 					{
 						Id:       OIDExtensionKeyUsage,
@@ -754,7 +754,7 @@ func TestGenerateCSR(t *testing.T) {
 						[]asn1.RawValue{
 							{Tag: nameTypeDNSName, Class: 2, Bytes: []byte("example.org")},
 						},
-						false,
+						true,
 					),
 					{
 						Id:       OIDExtensionKeyUsage,
diff --git a/pkg/util/pki/sans_test.go b/pkg/util/pki/sans_test.go
index 8aa3ac85b..9aa743d82 100644
--- a/pkg/util/pki/sans_test.go
+++ b/pkg/util/pki/sans_test.go
@@ -142,23 +142,23 @@ KkR5sV2iISL9klJn+YmoLOcr92mg/WfSE3bvaDYnjEGiunSNh+nZlBcRZVUA
 			sanExtension: extractSANsFromCertificateRequest(t, `
 generated with: openssl req -nodes -newkey rsa:2048 -subj "/CN=someCN" \
  -addext 'subjectAltName=email:email@domain.test,otherName:msUPN;UTF8:upn@domain.test'
- -----BEGIN CERTIFICATE REQUEST-----
- MIICpjCCAY4CAQAwETEPMA0GA1UEAwwGc29tZUNOMIIBIjANBgkqhkiG9w0BAQEF
- AAOCAQ8AMIIBCgKCAQEAt9fJR9OCqfWo6BUNYi70biX4tLhR3bgzbNAiNG6gE/UK
- 6JCmVCFpMwdR2p+DluHDysU7+QKp7BBMe6AcZrGs4ru7aWvS8quZnsVlPPxhJHh8
- TjoazO39Qte6CyqIVLkWdc8P65I2jlMeua1qPg8+jx5Pd65UNiop1Abmj6CU3e6t
- m79AFQ/3AEa1XTVdQw/PjAgixW+cLpdNYeTbK7r9EncHdtTFcFZVR26ZWfDvs4I8
- Rx9wi5kgL2eB3XNKxg95CUjhCY/wfyVYI2xCBTDQgyx33YLLQotjf30ZbKXRQgjd
- eFVsUNNfVn8f6uZHAJaWZWVMMDTZsNQ/IhD7YLc02wIDAQABoFAwTgYJKoZIhvcN
- AQkOMUEwPzA9BgNVHREENjA0gRFlbWFpbEBkb21haW4udGVzdKAfBgorBgEEAYI3
- FAIDoBEMD3VwbkBkb21haW4udGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAXVF6VfHO
- qAIxnlWIUnc9SyxaUqr5WvCkJfvgIahA6/GvQXo+QVH/6kr3tRXAjWf8nPQ4QirV
- 55MQFCcJtNo/RIv+KZoudCCeegv2lCVDU9fGe8hGAw+XWUqSlTnWywNaLuY1BvdV
- r7h5deMc4OSTOgYqPlu8JMmxwrb7Gm5ea+UYtxjcmG+ROB2B3via+g2uwNp27cKh
- v1PJQs8lq4K/CPuRoMhhgQpYAazYkcHAdCmDq3jGYUE/Ax2vbjJNWxyLRUtLpupE
- /VTkJMD/ggF2y4I6ZLYFWeJ/zVqHw19c4suIuR4atYGk3JCHtNgHzdfxDs6Ky0+A
- f1fD+Pn5lU6rAA==
- -----END CERTIFICATE REQUEST-----
+-----BEGIN CERTIFICATE REQUEST-----
+MIICpjCCAY4CAQAwETEPMA0GA1UEAwwGc29tZUNOMIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAt9fJR9OCqfWo6BUNYi70biX4tLhR3bgzbNAiNG6gE/UK
+6JCmVCFpMwdR2p+DluHDysU7+QKp7BBMe6AcZrGs4ru7aWvS8quZnsVlPPxhJHh8
+TjoazO39Qte6CyqIVLkWdc8P65I2jlMeua1qPg8+jx5Pd65UNiop1Abmj6CU3e6t
+m79AFQ/3AEa1XTVdQw/PjAgixW+cLpdNYeTbK7r9EncHdtTFcFZVR26ZWfDvs4I8
+Rx9wi5kgL2eB3XNKxg95CUjhCY/wfyVYI2xCBTDQgyx33YLLQotjf30ZbKXRQgjd
+eFVsUNNfVn8f6uZHAJaWZWVMMDTZsNQ/IhD7YLc02wIDAQABoFAwTgYJKoZIhvcN
+AQkOMUEwPzA9BgNVHREENjA0gRFlbWFpbEBkb21haW4udGVzdKAfBgorBgEEAYI3
+FAIDoBEMD3VwbkBkb21haW4udGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAXVF6VfHO
+qAIxnlWIUnc9SyxaUqr5WvCkJfvgIahA6/GvQXo+QVH/6kr3tRXAjWf8nPQ4QirV
+55MQFCcJtNo/RIv+KZoudCCeegv2lCVDU9fGe8hGAw+XWUqSlTnWywNaLuY1BvdV
+r7h5deMc4OSTOgYqPlu8JMmxwrb7Gm5ea+UYtxjcmG+ROB2B3via+g2uwNp27cKh
+v1PJQs8lq4K/CPuRoMhhgQpYAazYkcHAdCmDq3jGYUE/Ax2vbjJNWxyLRUtLpupE
+/VTkJMD/ggF2y4I6ZLYFWeJ/zVqHw19c4suIuR4atYGk3JCHtNgHzdfxDs6Ky0+A
+f1fD+Pn5lU6rAA==
+-----END CERTIFICATE REQUEST-----
 `),
 		},
 		"OtherName byte literal": {
diff --git a/test/e2e/suite/conformance/certificates/tests.go b/test/e2e/suite/conformance/certificates/tests.go
index 1fa5173d5..06da9dc8c 100644
--- a/test/e2e/suite/conformance/certificates/tests.go
+++ b/test/e2e/suite/conformance/certificates/tests.go
@@ -223,11 +223,11 @@ func (s *Suite) Define() {
 
 		s.it(f, "should issue a certificate with a couple valid otherName SAN values set as well as an emailAddress", func(issuerRef cmmeta.ObjectReference) {
 			framework.RequireFeatureGate(f, utilfeature.DefaultFeatureGate, feature.OtherNames)
-			emailAddresses := []string{"email@domain.com"}
+			emailAddresses := []string{"email@domain.test"}
 			otherNames := []cmapi.OtherName{
 				{
 					OID:       "1.3.6.1.4.1.311.20.2.3",
-					UTF8Value: "userprincipal@domain.com",
+					UTF8Value: "upn@domain.test",
 				},
 			}
 
@@ -241,6 +241,7 @@ func (s *Suite) Define() {
 					IssuerRef:      issuerRef,
 					OtherNames:     otherNames,
 					EmailAddresses: emailAddresses,
+					CommonName:     "someCN",
 				}}
 
 			By("Creating a Certificate")
@@ -290,7 +291,6 @@ YH0ROM05IRf2nOI6KInaiz4POk6JvdTb
 `)
 
 				Expect(cert.Extensions).To(ContainElement(expectedSanExtension))
-				Fail("check")
 				return nil
 			}