diff --git a/api/agent_test.go b/api/agent_test.go
index d78187906a..5ddcc34235 100644
--- a/api/agent_test.go
+++ b/api/agent_test.go
@@ -1389,6 +1389,9 @@ func TestAPI_AgentConnectCALeaf(t *testing.T) {
 	c, s := makeClient(t)
 	defer s.Stop()
 
+	// ensure we don't try to sign a leaf cert before connect has been initialized
+	s.WaitForActiveCARoot(t)
+
 	agent := c.Agent()
 	// Setup service
 	reg := &AgentServiceRegistration{
diff --git a/sdk/testutil/server.go b/sdk/testutil/server.go
index f6f0cbdc18..66c7f43f94 100644
--- a/sdk/testutil/server.go
+++ b/sdk/testutil/server.go
@@ -433,6 +433,13 @@ func (s *TestServer) WaitForLeader(t *testing.T) {
 // WaitForActiveCARoot waits until the server can return a Connect CA meaning
 // connect has completed bootstrapping and is ready to use.
 func (s *TestServer) WaitForActiveCARoot(t *testing.T) {
+	// don't need to fully decode the response
+	type rootsResponse struct {
+		ActiveRootID string
+		TrustDomain  string
+		Roots        []interface{}
+	}
+
 	retry.Run(t, func(r *retry.R) {
 		// Query the API and check the status code.
 		url := s.url("/v1/agent/connect/ca/roots")
@@ -448,6 +455,17 @@ func (s *TestServer) WaitForActiveCARoot(t *testing.T) {
 		if err := s.requireOK(resp); err != nil {
 			r.Fatal("failed OK response", err)
 		}
+
+		var roots rootsResponse
+
+		dec := json.NewDecoder(resp.Body)
+		if err := dec.Decode(&roots); err != nil {
+			r.Fatal(err)
+		}
+
+		if roots.ActiveRootID == "" || len(roots.Roots) < 1 {
+			r.Fatalf("/v1/agent/connect/ca/roots returned 200 but without roots: %+v", roots)
+		}
 	})
 }