From 0c2fb7252dd28b5108f8e9d544a893256729064f Mon Sep 17 00:00:00 2001
From: Kyle Havlovitz <kylehav@gmail.com>
Date: Thu, 1 Sep 2022 14:24:30 -0700
Subject: [PATCH] Prune intermediates before appending new one

---
 agent/consul/leader_connect_ca.go | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/agent/consul/leader_connect_ca.go b/agent/consul/leader_connect_ca.go
index d2cd021134..fe780f7f22 100644
--- a/agent/consul/leader_connect_ca.go
+++ b/agent/consul/leader_connect_ca.go
@@ -1098,9 +1098,13 @@ func setLeafSigningCert(caRoot *structs.CARoot, pem string) error {
 		return fmt.Errorf("error parsing leaf signing cert: %w", err)
 	}
 
+	if err := pruneExpiredIntermediates(caRoot); err != nil {
+		return err
+	}
+
 	caRoot.IntermediateCerts = append(caRoot.IntermediateCerts, pem)
 	caRoot.SigningKeyID = connect.EncodeSigningKeyID(cert.SubjectKeyId)
-	return pruneExpiredIntermediates(caRoot)
+	return nil
 }
 
 // pruneExpiredIntermediates removes expired intermediate certificates
@@ -1108,15 +1112,14 @@ func setLeafSigningCert(caRoot *structs.CARoot, pem string) error {
 func pruneExpiredIntermediates(caRoot *structs.CARoot) error {
 	var newIntermediates []string
 	now := time.Now()
-	for i, intermediatePEM := range caRoot.IntermediateCerts {
+	for _, intermediatePEM := range caRoot.IntermediateCerts {
 		cert, err := connect.ParseCert(intermediatePEM)
 		if err != nil {
 			return fmt.Errorf("error parsing leaf signing cert: %w", err)
 		}
 
-		// Only keep the intermediate cert if it's still valid, or if it's the most
-		// recently added (and thus the active signing cert).
-		if cert.NotAfter.After(now) || i == len(caRoot.IntermediateCerts) {
+		// Only keep the intermediate cert if it's still valid.
+		if cert.NotAfter.After(now) {
 			newIntermediates = append(newIntermediates, intermediatePEM)
 		}
 	}