From bb998d911341298bd4a9d35dde27d38623f639e9 Mon Sep 17 00:00:00 2001 From: "Chris S. Kim" Date: Wed, 12 Jul 2023 16:31:30 -0400 Subject: [PATCH] Fix bug with Vault CA provider where updating RootPKIPath but not IntermediatePKIPath would not update leaf signing certs with the new root. --- agent/connect/ca/provider.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/agent/connect/ca/provider.go b/agent/connect/ca/provider.go index 6f40e7b97f8e0..2ef34228bc483 100644 --- a/agent/connect/ca/provider.go +++ b/agent/connect/ca/provider.go @@ -135,8 +135,11 @@ type PrimaryProvider interface { // provider. // // Depending on the provider and its configuration, GenerateCAChain may return - // a single root certificate or a chain of certs. The provider should return an - // existing CA chain if one exists or generate a new one and return it. + // a single root certificate or a chain of certs. + // The first certificate must be the primary CA used to sign intermediates for + // secondary datacenters, and the last certificate must be the trusted CA. + // The provider should return an existing CA chain if one exists or generate a + // new one and return it. GenerateCAChain() (string, error) // SignIntermediate will validate the CSR to ensure the trust domain in the