Tell us about your request
EKS control planes have certificates (CA, API server, etc.) which are generated as a part of the provisioning process. Those certificates only differ by public/private key and little else. The subject common name is always the same and no X509v3 key identifiers (Authority Key Identifier or Subject Key Identifier) are included in the generated certs. The generated certs should have unique subject names and/or X509 identifier extensions to enable the cert verification process for clients which need to support connecting to multiple cluster endpoints without CA cert pinning.

Which service(s) is this request for?
EKS

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?
I am trying to configure an openssl-based client (Squid proxy in peak/splice SslBump mode) such that it can support connecting (proxying) to multiple clusters. Using "aws eks update-kubeconfig" paired with kubectl solves this by using a form of certificate pinning. That is, the .kube/config file includes the endpoint and its' expected CA cert. This is not possible for Squid proxy in peak/splice SslBump mode. The proxy doesn't know which endpoint to pair with which CA cert. It tries to select the CA from the trusted certs based on the subject and X509 identifier extensions, which aren't unique across EKS clusters. Therefore Squid is guaranteed to sometimes select the wrong CA cert for signature verification in a multi-cluster environment. The only solution for Squid proxy is to disable CA verification which is terrible security practice.

Are you currently working around this issue?
No, disabling CA verification or using CA cert pinning is not an option in Squid proxy for organizational security or technical reasons, respectively.