We dont have a way to allow arbitrary custom certs with a config map. We only allow a secret to have arbitrary certs. Configmap is only used with OCP PKI. We need to be able to support both OCP PKI injection and manual addition of certs via a configmap.
Related discussion here: More details here: https://redhat-internal.slack.com/archives/CF5ANN61F/p1682503702899549

Right now if user defines nothing in the Serving CR he gets a cm filled in with the OCP PKI stuff:

$ oc get cm -n knative-serving
...
config-service-ca              2      3m5s
config-service-ca-service-ca   1      3m5s
config-service-ca-trusted-ca   1      3m5s

Another issue to be investigated is if rotation happens in the default case. What happens if config-service-ca-service-ca changes.
It seems that config-service-ca which is mounted to the controller will not get the updates.