Fix bug with Vault CA provider where updating

RootPKIPath but not IntermediatePKIPath would not update leaf signing certs with the new root.
hashicorp · Jul 12, 2023 · bb998d9 · bb998d9
1 parent fc2ccfc
commit bb998d9
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/agent/connect/ca/provider.go b/agent/connect/ca/provider.go
@@ -135,8 +135,11 @@ type PrimaryProvider interface {
 	// provider.
 	//
 	// Depending on the provider and its configuration, GenerateCAChain may return
-	// a single root certificate or a chain of certs. The provider should return an
-	// existing CA chain if one exists or generate a new one and return it.
+	// a single root certificate or a chain of certs.
+	// The first certificate must be the primary CA used to sign intermediates for
+	// secondary datacenters, and the last certificate must be the trusted CA.
+	// The provider should return an existing CA chain if one exists or generate a
+	// new one and return it.
 	GenerateCAChain() (string, error)
 
 	// SignIntermediate will validate the CSR to ensure the trust domain in the