From 96be92f3b5a466aaf8ec3e50a3fb4b219fbe974f Mon Sep 17 00:00:00 2001
From: Todd Radel <todd@hashicorp.com>
Date: Fri, 2 Aug 2019 15:36:03 -0400
Subject: [PATCH] connect: generate intermediate at same time as root (#6272)

Generate intermediate at same time as root
Co-Authored-By: Freddy <freddygv@users.noreply.github.com>
---
 agent/consul/leader_connect.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/agent/consul/leader_connect.go b/agent/consul/leader_connect.go
index bda98abe75..5a2e707fff 100644
--- a/agent/consul/leader_connect.go
+++ b/agent/consul/leader_connect.go
@@ -209,12 +209,21 @@ func (s *Server) initializeRootCA(provider ca.Provider, conf *structs.CAConfigur
 	if err != nil {
 		return fmt.Errorf("error getting root cert: %v", err)
 	}
-
 	rootCA, err := parseCARoot(rootPEM, conf.Provider, conf.ClusterID)
 	if err != nil {
 		return err
 	}
 
+	// Also create the intermediate CA, which is the one that actually signs leaf certs
+	interPEM, err := provider.GenerateIntermediate()
+	if err != nil {
+		return fmt.Errorf("error generating intermediate cert: %v", err)
+	}
+	_, err = connect.ParseCert(interPEM)
+	if err != nil {
+		return fmt.Errorf("error getting intermediate cert: %v", err)
+	}
+
 	commonConfig, err := conf.GetCommonConfig()
 	if err != nil {
 		return err