diff --git a/lib/Genesis/Env/Secrets/Parser/FromManifest.pm b/lib/Genesis/Env/Secrets/Parser/FromManifest.pm
index 60e07653..1259cee7 100644
--- a/lib/Genesis/Env/Secrets/Parser/FromManifest.pm
+++ b/lib/Genesis/Env/Secrets/Parser/FromManifest.pm
@@ -113,8 +113,8 @@ sub _parse_certificate {
 
 	my @names = @{$opts{options}{alternative_names}//[]};
 
-	# Special Case v2.0.x CF Kit
-	if ($self->env->kit->id =~ /^cf\/2.0/) {
+	# Special Case v2.0.x CF Kit and v4.x Autoscaler Kit
+	if ($self->env->kit->id =~ /^cf\/2\.0\./) {
 		if ($path eq 'nats_server_cert') {
 			@names = (
 				"nats.service.cf.internal",
@@ -122,6 +122,10 @@ sub _parse_certificate {
 			)
 		}
 
+		my $subject_cn = $opts{options}{common_name};
+		push @names, $subject_cn
+			if (!scalar(@names) && $subject_cn);
+	} elsif ($self->env->kit->id =~ /^cf-app-autoscaler\/4\./) {
 		my $subject_cn = $opts{options}{common_name};
 		push @names, $subject_cn
 			if (!scalar(@names) && $subject_cn);
diff --git a/lib/Genesis/Secret/X509.pm b/lib/Genesis/Secret/X509.pm
index 71bfc1db..45a0a06e 100644
--- a/lib/Genesis/Secret/X509.pm
+++ b/lib/Genesis/Secret/X509.pm
@@ -99,8 +99,11 @@ sub vault_operator {
 	} elsif ($key eq 'private_key' || $key eq 'key') {
 		$path .= ':key';
 	} elsif ($key eq 'ca') {
+		if ($self->get('self_signed')) {
+			return $self->vault_operator('certificate')
+		}
 		my $ca_path = $self->get('signed_by');
-		if ($ca_path =~ /^\//) {
+		if ($ca_path && $ca_path =~ /^\//) {
 			$path = "$ca_path:certificate"
 		} else {
 			return $self->ca->vault_operator('certificate')