Repurposing Puppet CA certs issue

I am trying to use the Foreman Smart Proxy PuppetCA certificates for
authentication to a Google Appspot app. But I am running into an issue that
I can't figure out.

The appspot instance is has the PuppetCA private key, public CA cert, and a
public cert for the instance that I manually created on appspot. All of
these are signed by foreman.dozer.######.com, and when I look at the certs
they are all issued by Issuer: CN=Puppet CA: foreman.dozer.######.com ,
but when I test the connection of the client to my appspot app, the client
is expecting the issuer to be: CN=ca-foreman.dozer.######.com

For the life of me I can't figure out where the
CN=ca-foreman.dozer.######.com is coming from. It has to be somewhere in
the either the CA public cert, or the public cert of the appspot instance.

Also, why does foreman create it's own cert with Subject Alternative Names?

Any help is much appreciated.

Also, for more info, the appspot app I am trying to use is Simian
<https://github.com/google/simian>.

Any help is much appreciated.