In track 2 setting certificate properties via CertificatePolicy requires passing an issuer, when in track 1 that was not required.

To support import, define a default constructor but leave Issuer, Subject, and SubjectAlternativeNames read-only properties. The parameters in existing constructors should also continue to be asserted. issuer is optional during import, and subject is ignored - obtained from the X509 certificate anyway. We could also loosen restrictions in the future if needs be.

To note: if we did loosen restrictions later and allowed subject or SAN to be null, the service does return a pretty descriptive error that would help customers diagnose the issue:

{
    "error": {
        "code": "BadParameter",
        "message": "Either subjectName or san must be present"
    }
}