If PolicyIdentifiers and Policies have the same OIDs (i.e., because you parsed a certificate using ParseCertificate and are using it as a template), CreateCertificate will create a certificate policies extension that contains duplicate OIDs.
Also Policies isn't documented as being used in CreateCertificate
Comment From: gopherbot
Change https://go.dev/cl/539297 mentions this issue: crypto/x509: fix certificate policy marshaling