diff --git a/agent/consul/leader.go b/agent/consul/leader.go
index cf22c4418c..e1ab7dfbee 100644
--- a/agent/consul/leader.go
+++ b/agent/consul/leader.go
@@ -433,6 +433,12 @@ func (s *Server) initializeCA() error {
 		return err
 	}
 
+	// TODO(banks): in the case that we've just gained leadership in an already
+	// configured cluster. We really need to fetch RootCA from state to provide it
+	// in setCAProvider. This matters because if the current active root has
+	// intermediates, parsing the rootCA from only the root cert PEM above will
+	// not include them and so leafs we sign will not bundle the intermediates.
+
 	s.setCAProvider(provider, rootCA)
 
 	// Check if the CA root is already initialized and exit if it is.
@@ -445,6 +451,9 @@ func (s *Server) initializeCA() error {
 	}
 	if activeRoot != nil {
 		if activeRoot.ID != rootCA.ID {
+			// TODO(banks): this seems like a pretty catastrophic state to get into.
+			// Shouldn't we do something stronger than warn and continue signing with
+			// a key that's not the active CA according to the state?
 			s.logger.Printf("[WARN] connect: CA root %q is not the active root (%q)", rootCA.ID, activeRoot.ID)
 		}
 		return nil