From 6ff17468985908e1e92f8b7d20b595b796693e0a Mon Sep 17 00:00:00 2001
From: William Johansson <radar@radhuset.org>
Date: Sun, 18 Feb 2018 21:28:22 +0100
Subject: [PATCH] Bundle the CA public key in issued certificate

If the CA used is only an intermediate CA, and the root CA is trusted by
the client, the client needs help verifying the certificate chain.
---
 pkg/issuer/ca/issue.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pkg/issuer/ca/issue.go b/pkg/issuer/ca/issue.go
index c36c26edb..213153187 100644
--- a/pkg/issuer/ca/issue.go
+++ b/pkg/issuer/ca/issue.go
@@ -151,5 +151,12 @@ func signCertificate(crt *v1alpha1.Certificate, issuerCert *x509.Certificate, pu
 	if err != nil {
 		return nil, nil, fmt.Errorf("error encoding certificate PEM: %s", err.Error())
 	}
+
+	// bundle the CA
+	err = pem.Encode(pemBytes, &pem.Block{Type: "CERTIFICATE", Bytes: issuerCert.Raw})
+	if err != nil {
+		return nil, nil, fmt.Errorf("error encoding issuer cetificate PEM: %s", err.Error())
+	}
+
 	return pemBytes.Bytes(), cert, err
 }