diff --git a/examples/full-cluster-tf-upgrade/1.28/README.md b/examples/full-cluster-tf-upgrade/1.28/README.md
index 33b9baa..8db62eb 100644
--- a/examples/full-cluster-tf-upgrade/1.28/README.md
+++ b/examples/full-cluster-tf-upgrade/1.28/README.md
@@ -78,6 +78,7 @@ cluster_name           = "org-project-env"
 cluster_version        = "1.28"
 region                 = "us-gov-east-1"
 domain                 = "org-project-env.env.domain.census.gov"
+contact_email          = "org-project-env-group-mailing-list@census.gov"
 eks_instance_disk_size = 40
 eks_vpc_name           = "vpc_full_name"
 eks_instance_type      = "t3.xlarge"
@@ -92,7 +93,8 @@ You need to change these values:
 * cluster_name: put in the proper org, project, and environment.  Cluster names should not be replicated across the environment.
 These are tracked in the repo [cloud-information/aws/documentation/containers/](https://github.e.it.census.gov/terraform/cloud-information/blob/master/documentation/dns.md).
 * region: include the correct region. This really is a duplicate of the `region` variable, so it may be removed in the future.
-* domain: this is the domain name of the clsuter, consisting of the cluster name and the proper domain name for the environment/VPC.
+* domain: this is the domain name of the cluster, consisting of the cluster name and the proper domain name for the environment/VPC.
+* contact_email: put in an email addres of a group responsible for this cluster.
 * eks_instance_disk_size: this should be default to 40Gb for most use-cases; only change this if you have special requirement and have exception approval.
 * eks_vpc_name: replace *vpc_full_name* with the appropriate vpc full name. This is used to find the vpc ID.
 * subnets_name: replace *subnet_label* with the label of the subnets allocated to providing ENIs for the cluster node group and containers; often as `container` or `task`
diff --git a/examples/full-cluster-tf-upgrade/1.28/common-services/cert.tf b/examples/full-cluster-tf-upgrade/1.28/common-services/cert.tf
deleted file mode 100644
index 8a06b55..0000000
--- a/examples/full-cluster-tf-upgrade/1.28/common-services/cert.tf
+++ /dev/null
@@ -1,72 +0,0 @@
-# tf-apply  $(grep ^[rd] ca-cert.tf |awk '{print "-target=" $2 "." $3}' |sed -e 's/"//g')
-# terraform taint null_resource.ca_cert[0]
-# # (wait for submitted cert to be ready)
-# tf-apply  $(grep ^[rd] ca-cert.tf |awk '{print "-target=" $2 "." $3}' |sed -e 's/"//g')
-# tf-apply  $(grep ^[rd] ca-cert.tf |awk '{print "-target=" $2 "." $3}' |sed -e 's/"//g')
-
-#---
-# ca
-#---
-locals {
-  vpc_domain_name = coalesce(var.domain, var.vpc_domain_name)
-  ca_dns_name     = format("pki.%v.%v", var.cluster_name, local.vpc_domain_name)
-  #  ca_ou = format("ou=%v,ou=EKS,ou=%v,ou=PKI",var.cluster_name,var.vpc_full_name)
-  ca_ou            = format("eks-%v-%v-PKI", var.cluster_name, var.vpc_full_name)
-  ca_cert_download = false
-  ca_cert_san      = [local.ca_dns_name]
-
-  ca_key_filename    = format("${path.root}/certs/%v.key", local.ca_dns_name)
-  ca_key_exists      = fileexists(local.ca_key_filename)
-  ca_cert_filename   = format("${path.root}/certs/%v.crt", local.ca_dns_name)
-  ca_cert_exists     = fileexists(local.ca_cert_filename)
-  ca_root_filename   = "${path.root}/certs/ca-root.crt"
-  ca_root_exists     = fileexists(local.ca_root_filename)
-  ca_bundle_contents = local.ca_cert_exists && local.ca_root_exists ? format("%v%v", file(local.ca_cert_filename), file(local.ca_root_filename)) : ""
-  ca_bundle_filename = format("${path.root}/certs/%v.bundle.crt", local.ca_dns_name)
-
-  v2_certificate_csr_message = <<EOM
-Now submit file to TCO under [Server Certificate](https://dwp.census.gov/dwp/app/#/itemprofile/120) for signing and return the result as below:
-
-  dns  = ${local.ca_dns_name}
-  csr  = certs/${local.ca_dns_name}.csr
-
-Ask for the certificate to be signed with the Linux (v2) PKI CA with the command:
-
-% ./sign-subordinate-ca-cert.sh ${local.ca_dns_name}.csr 'c=US,o=U.S. Census Bureau,OU=PKI,ou=EKS,ou=${var.vpc_full_name},ou=${var.cluster_name},cn=${local.ca_dns_name}' 730"
-
-EOM
-
-  v3_certificate_csr_message = <<EOM
-Now submit file to TCO under [Server Certificate](https://dwp.census.gov/dwp/app/#/itemprofile/120) for signing and return the result as below:
-
-  dns  = ${local.ca_dns_name}
-  csr  = certs/${local.ca_dns_name}.csr
-
-**IMPORTANT**
-
-We are no longer issuing certificate from the Linux (v2) PKI, so you must request one from the MS CA.
-Ask for the certificate to be signed with the Microsoft (MS CA, v3) PKI CA with the command (Windows, PowerShell):
-
-  certreq -submit -attrib "CertificateTemplate:USCBSubordinateCertificationAuthority"  ${local.ca_dns_name}.csr  ${local.ca_dns_name}.cer
-
-It is very important that this certificate be issued as a Subordinate Certification Authority. The default method of a server certificate
-will fail and will cause a lot of issues.
-
-Further, you will NOT enable the download option with the MS CA.  If you receive a download link to ca.apps.tco.census.gov, do not attempt
-to proceed, and request the correctly-signed certificate as described above.
-EOM
-}
-
-
-module "cert" {
-  source = "git@github.e.it.census.gov:terraform-modules/aws-tls-certificate?ref=tf-upgrade"
-
-  certificate_cn                = local.ca_dns_name
-  certificate_san               = [local.ca_dns_name]
-  certificate_download          = local.ca_cert_download
-  enable_acm_certificate        = false
-  certificate_subject_overrides = { ou = local.ca_ou }
-  # use v2 for linux ca, v3 for ms ca
-  # certificate_csr_message = local.v2_certificate_csr_message
-  certificate_csr_message = local.v3_certificate_csr_message
-}
diff --git a/examples/full-cluster-tf-upgrade/1.28/common-services/main.tf b/examples/full-cluster-tf-upgrade/1.28/common-services/main.tf
index 29efe14..f67ee9c 100644
--- a/examples/full-cluster-tf-upgrade/1.28/common-services/main.tf
+++ b/examples/full-cluster-tf-upgrade/1.28/common-services/main.tf
@@ -184,60 +184,60 @@ resource "time_sleep" "let_cert-manager-webhook_boot" {
   create_duration = "19s"
 }
 
-locals {
-  tls_crt_file     = length(var.tls_crt_file) > 0 ? var.tls_crt_file : "certs/${local.ca_dns_name}.bundle.crt"
-  tls_crt_contents = (length(local.tls_crt_file) > 0 && fileexists(local.tls_crt_file)) ? file(local.tls_crt_file) : var.tls_crt_contents
-  tls_crt_b64      = length(local.tls_crt_contents) > 0 ? base64encode(local.tls_crt_contents) : var.tls_crt_b64
-
-  tls_key_file     = length(var.tls_key_file) > 0 ? var.tls_key_file : "certs/${local.ca_dns_name}.key"
-  tls_key_contents = (length(local.tls_key_file) > 0 && fileexists(local.tls_key_file)) ? file(local.tls_key_file) : var.tls_key_contents
-  tls_key_b64      = length(local.tls_key_contents) > 0 ? base64encode(local.tls_key_contents) : var.tls_key_b64
-
-  intermediate_ca = (length(local.tls_crt_b64) > 0) && (length(local.tls_key_b64) > 0)
-
-  vault_ca_bundle_pem_file = var.vault_ca_bundle_pem_file
-  vault_ca_bundle_pem = ((length(local.vault_ca_bundle_pem_file) > 0) ?
-    file(local.vault_ca_bundle_pem_file)
-  : var.vault_ca_bundle_pem)
-  vault_ca_bundle_pem_b64 = ((length(local.vault_ca_bundle_pem) > 0) ?
-    base64encode(local.vault_ca_bundle_pem)
-  : var.vault_ca_bundle_pem_b64)
-
-  vault_ca = !local.intermediate_ca && length(var.vault_url) > 0
-
-  self_signed_ca = !local.intermediate_ca && !local.vault_ca
-
-  defined_ca = (local.self_signed_ca ? 1 : 0) + (local.intermediate_ca ? 1 : 0) + (local.vault_ca ? 1 : 0)
-}
-
+## strip out all code for various certificate options and use only the subordinate_ca module (intermediate-certificate-issuer)
+## locals {
+##   tls_crt_file     = length(var.tls_crt_file) > 0 ? var.tls_crt_file : "certs/${local.ca_dns_name}.bundle.crt"
+##   tls_crt_contents = (length(local.tls_crt_file) > 0 && fileexists(local.tls_crt_file)) ? file(local.tls_crt_file) : var.tls_crt_contents
+##   tls_crt_b64      = length(local.tls_crt_contents) > 0 ? base64encode(local.tls_crt_contents) : var.tls_crt_b64
+## 
+##   tls_key_file     = length(var.tls_key_file) > 0 ? var.tls_key_file : "certs/${local.ca_dns_name}.key"
+##   tls_key_contents = (length(local.tls_key_file) > 0 && fileexists(local.tls_key_file)) ? file(local.tls_key_file) : var.tls_key_contents
+##   tls_key_b64      = length(local.tls_key_contents) > 0 ? base64encode(local.tls_key_contents) : var.tls_key_b64
+## 
+##   intermediate_ca = (length(local.tls_crt_b64) > 0) && (length(local.tls_key_b64) > 0)
+## 
+##   vault_ca_bundle_pem_file = var.vault_ca_bundle_pem_file
+##   vault_ca_bundle_pem = ((length(local.vault_ca_bundle_pem_file) > 0) ?
+##     file(local.vault_ca_bundle_pem_file)
+##   : var.vault_ca_bundle_pem)
+##   vault_ca_bundle_pem_b64 = ((length(local.vault_ca_bundle_pem) > 0) ?
+##     base64encode(local.vault_ca_bundle_pem)
+##   : var.vault_ca_bundle_pem_b64)
+## 
+##   vault_ca = !local.intermediate_ca && length(var.vault_url) > 0
+## 
+##   self_signed_ca = !local.intermediate_ca && !local.vault_ca
+## 
+##   defined_ca = (local.self_signed_ca ? 1 : 0) + (local.intermediate_ca ? 1 : 0) + (local.vault_ca ? 1 : 0)
+## }
+## 
 # configure the certificate issuer. 
-
-# when self-signed certs requested
-resource "helm_release" "self-signed-certificate-issuer" {
-  count = local.self_signed_ca == true ? 1 : 0
-
-  chart      = "self-signed-certificate-issuer"
-  name       = "certificate-issuer"
-  namespace  = kubernetes_namespace.cert-manager.metadata[0].name
-  repository = "${path.module}/charts/"
-
-  depends_on = [time_sleep.let_cert-manager-webhook_boot]
-
-  # Required because the chart creates "non-standard" kubernetes resources
-  # that use the cert-manager CRDs.
-  disable_openapi_validation = true
-}
+## # when self-signed certs requested
+## resource "helm_release" "self-signed-certificate-issuer" {
+##   count = local.self_signed_ca == true ? 1 : 0
+## 
+##   chart      = "self-signed-certificate-issuer"
+##   name       = "certificate-issuer"
+##   namespace  = kubernetes_namespace.cert-manager.metadata[0].name
+##   repository = "${path.module}/charts/"
+## 
+##   depends_on = [time_sleep.let_cert-manager-webhook_boot]
+## 
+##   # Required because the chart creates "non-standard" kubernetes resources
+##   # that use the cert-manager CRDs.
+##   disable_openapi_validation = true
+## }
 
 # when using an internediate CA is requested
 resource "helm_release" "intermediate-certificate-issuer" {
-  count = local.intermediate_ca == true ? 1 : 0
+  ##  count = local.intermediate_ca == true ? 1 : 0
 
   chart      = "intermediate-certificate-issuer"
   name       = "certificate-issuer"
   namespace  = kubernetes_namespace.cert-manager.metadata[0].name
   repository = "${path.module}/charts/"
 
-  depends_on = [time_sleep.let_cert-manager-webhook_boot]
+  depends_on = [time_sleep.let_cert-manager-webhook_boot, module.subordinate_ca]
 
   # Required because the chart creates "non-standard" kubernetes resources
   # that use the cert-manager CRDs.
@@ -245,78 +245,79 @@ resource "helm_release" "intermediate-certificate-issuer" {
 
   set {
     name  = "tls.crt"
-    value = local.tls_crt_b64
+    value = module.subordinate_ca.certificate_tls_crt
   }
   set {
     name  = "tls.key"
-    value = local.tls_key_b64
+    value = module.subordinate_ca.certificate_tls_key
   }
 }
 
-# when using vault as a CA is requested
-resource "helm_release" "vault-certificate-issuer" {
-  count = local.vault_ca == true ? 1 : 0
-
-  chart      = "vault-certificate-issuer"
-  name       = "certificate-issuer"
-  namespace  = kubernetes_namespace.cert-manager.metadata[0].name
-  repository = "${path.module}/charts/"
-
-  depends_on = [time_sleep.let_cert-manager-webhook_boot]
-
-  # Required because the chart creates "non-standard" kubernetes resources
-  # that use the cert-manager CRDs.
-  disable_openapi_validation = true
-
-  set {
-    name  = "vault.url"
-    value = var.vault_url
-  }
-  set {
-    name  = "vault.path"
-    value = var.vault_path
-  }
-  set {
-    name  = "vault.ca_bundle"
-    value = local.vault_ca_bundle_pem_b64
-  }
-  set {
-    name  = "vault.authentication_type"
-    value = var.vault_authentication
-  }
-
-  set {
-    name  = "approle.secret_id"
-    value = var.vault_approle_secret_id
-  }
-  set {
-    name  = "approle.role_id"
-    value = var.vault_approle_secret_id
-  }
-  set {
-    name  = "approle.role_path"
-    value = var.vault_approle_role_path
-  }
-
-  set {
-    name  = "token.token"
-    value = var.vault_token
-  }
 
-  set {
-    name  = "serviceAccount.serviceAccount"
-    value = var.vault_serviceaccount_sa
-  }
-
-  set {
-    name  = "serviceAccount.role"
-    value = var.vault_serviceaccount_role
-  }
-  set {
-    name  = "serviceAccount.mountPath"
-    value = var.vault_serviceaccount_mountpath
-  }
-}
+## # when using vault as a CA is requested
+## resource "helm_release" "vault-certificate-issuer" {
+##   count = local.vault_ca == true ? 1 : 0
+## 
+##   chart      = "vault-certificate-issuer"
+##   name       = "certificate-issuer"
+##   namespace  = kubernetes_namespace.cert-manager.metadata[0].name
+##   repository = "${path.module}/charts/"
+## 
+##   depends_on = [time_sleep.let_cert-manager-webhook_boot]
+## 
+##   # Required because the chart creates "non-standard" kubernetes resources
+##   # that use the cert-manager CRDs.
+##   disable_openapi_validation = true
+## 
+##   set {
+##     name  = "vault.url"
+##     value = var.vault_url
+##   }
+##   set {
+##     name  = "vault.path"
+##     value = var.vault_path
+##   }
+##   set {
+##     name  = "vault.ca_bundle"
+##     value = local.vault_ca_bundle_pem_b64
+##   }
+##   set {
+##     name  = "vault.authentication_type"
+##     value = var.vault_authentication
+##   }
+## 
+##   set {
+##     name  = "approle.secret_id"
+##     value = var.vault_approle_secret_id
+##   }
+##   set {
+##     name  = "approle.role_id"
+##     value = var.vault_approle_secret_id
+##   }
+##   set {
+##     name  = "approle.role_path"
+##     value = var.vault_approle_role_path
+##   }
+## 
+##   set {
+##     name  = "token.token"
+##     value = var.vault_token
+##   }
+## 
+##   set {
+##     name  = "serviceAccount.serviceAccount"
+##     value = var.vault_serviceaccount_sa
+##   }
+## 
+##   set {
+##     name  = "serviceAccount.role"
+##     value = var.vault_serviceaccount_role
+##   }
+##   set {
+##     name  = "serviceAccount.mountPath"
+##     value = var.vault_serviceaccount_mountpath
+##   }
+## }
 
 # installs the istio-operator that will listen for profile configurations to
 # install / configure modify the istio components.
@@ -401,16 +402,16 @@ resource "helm_release" "istio-peer-authentication" {
   depends_on = [time_sleep.let_istio-operator_install_istio]
 }
 
-resource "null_resource" "certificate-issuers" {
-  triggers = {
-    self_signed_ca  = join(",", helm_release.self-signed-certificate-issuer[*].id)
-    intermediate_ca = join(",", helm_release.intermediate-certificate-issuer[*].id)
-    vault_ca        = join(",", helm_release.vault-certificate-issuer[*].id)
-  }
-  provisioner "local-exec" {
-    command = "if [ ${local.defined_ca} == 0 ]; then echo 'no-certificate-issuer defined'; exit 1; fi"
-  }
-}
+## resource "null_resource" "certificate-issuers" {
+##   triggers = {
+##     self_signed_ca  = join(",", helm_release.self-signed-certificate-issuer[*].id)
+##     intermediate_ca = join(",", helm_release.intermediate-certificate-issuer[*].id)
+##     vault_ca        = join(",", helm_release.vault-certificate-issuer[*].id)
+##   }
+##   provisioner "local-exec" {
+##     command = "if [ ${local.defined_ca} == 0 ]; then echo 'no-certificate-issuer defined'; exit 1; fi"
+##   }
+## }
 
 ## 
 ##     name       = "cert-manager"
diff --git a/examples/full-cluster-tf-upgrade/1.28/settings.auto.tfvars.example b/examples/full-cluster-tf-upgrade/1.28/settings.auto.tfvars.example
index 0b5079c..a4419d7 100644
--- a/examples/full-cluster-tf-upgrade/1.28/settings.auto.tfvars.example
+++ b/examples/full-cluster-tf-upgrade/1.28/settings.auto.tfvars.example
@@ -5,6 +5,7 @@
 cluster_name           = "{org}-{project}-{env}"
 cluster_version        = "1.28"
 region                 = "us-gov-east-1"
+contact_email          = "{group-email-address}"
 domain		       = "NAME"  ## set to correct domain if using a shared vpc
 eks_instance_disk_size = 40
 eks_vpc_name           = "{vpc_full_name}"
diff --git a/examples/full-cluster-tf-upgrade/1.28/variables.eks.tf b/examples/full-cluster-tf-upgrade/1.28/variables.eks.tf
index e5919f5..4505e1e 100644
--- a/examples/full-cluster-tf-upgrade/1.28/variables.eks.tf
+++ b/examples/full-cluster-tf-upgrade/1.28/variables.eks.tf
@@ -67,3 +67,8 @@ variable "domain" {
   type        = string
   default     = null
 }
+
+variable "contact_email" {
+  description = "Email address in @census.gov of contact for the certificate.  This is strongly recommended to be a group email address."
+  type        = string
+}