From bbafeeef67de3ef406f4e2cf501e52395877a582 Mon Sep 17 00:00:00 2001
From: Erik Godding Boye <erik.boye@statnett.no>
Date: Sun, 4 Apr 2021 14:30:05 +0200
Subject: [PATCH] fix #3619: Handle CA issuer working as intermediate correctly

Signed-off-by: Erik Godding Boye <egboye@gmail.com>
---
 pkg/util/pki/csr.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/pkg/util/pki/csr.go b/pkg/util/pki/csr.go
index 1eef77448..6751c046b 100644
--- a/pkg/util/pki/csr.go
+++ b/pkg/util/pki/csr.go
@@ -424,9 +424,9 @@ func SignCSRTemplate(caCerts []*x509.Certificate, caKey crypto.Signer, template
 		return nil, nil, errors.New("no CA certificates given to sign CSR template")
 	}
 
-	caCert := caCerts[0]
+	issuingCACert := caCerts[0]
 
-	certPem, _, err := SignCertificate(template, caCert, template.PublicKey, caKey)
+	certPem, _, err := SignCertificate(template, issuingCACert, template.PublicKey, caKey)
 	if err != nil {
 		return nil, nil, err
 
@@ -440,7 +440,8 @@ func SignCSRTemplate(caCerts []*x509.Certificate, caKey crypto.Signer, template
 	certPem = append(certPem, chainPem...)
 
 	// encode the CA certificate to be bundled in the output
-	caPem, err := EncodeX509(caCerts[0])
+	caCert := caCerts[len(caCerts)-1]
+	caPem, err := EncodeX509(caCert)
 	if err != nil {
 		return nil, nil, err
 	}