fix #3619: Handle CA issuer working as intermediate correctly

Signed-off-by: Erik Godding Boye <egboye@gmail.com>

pkg/util/pki/csr.go

@@ -424,9 +424,9 @@ func SignCSRTemplate(caCerts []*x509.Certificate, caKey crypto.Signer, template
 		return nil, nil, errors.New("no CA certificates given to sign CSR template")
 	}
 
-	caCert := caCerts[0]
+	issuingCACert := caCerts[0]
 
-	certPem, _, err := SignCertificate(template, caCert, template.PublicKey, caKey)
+	certPem, _, err := SignCertificate(template, issuingCACert, template.PublicKey, caKey)
 	if err != nil {
 		return nil, nil, err
 
@@ -440,7 +440,8 @@ func SignCSRTemplate(caCerts []*x509.Certificate, caKey crypto.Signer, template
 	certPem = append(certPem, chainPem...)
 
 	// encode the CA certificate to be bundled in the output
-	caPem, err := EncodeX509(caCerts[0])
+	caCert := caCerts[len(caCerts)-1]
+	caPem, err := EncodeX509(caCert)
 	if err != nil {
 		return nil, nil, err
 	}