Prune intermediates before appending new one

agent/consul/leader_connect_ca.go

@@ -1098,9 +1098,13 @@ func setLeafSigningCert(caRoot *structs.CARoot, pem string) error {
 		return fmt.Errorf("error parsing leaf signing cert: %w", err)
 	}
 
+	if err := pruneExpiredIntermediates(caRoot); err != nil {
+		return err
+	}
+
 	caRoot.IntermediateCerts = append(caRoot.IntermediateCerts, pem)
 	caRoot.SigningKeyID = connect.EncodeSigningKeyID(cert.SubjectKeyId)
-	return pruneExpiredIntermediates(caRoot)
+	return nil
 }
 
 // pruneExpiredIntermediates removes expired intermediate certificates
@@ -1108,15 +1112,14 @@ func setLeafSigningCert(caRoot *structs.CARoot, pem string) error {
 func pruneExpiredIntermediates(caRoot *structs.CARoot) error {
 	var newIntermediates []string
 	now := time.Now()
-	for i, intermediatePEM := range caRoot.IntermediateCerts {
+	for _, intermediatePEM := range caRoot.IntermediateCerts {
 		cert, err := connect.ParseCert(intermediatePEM)
 		if err != nil {
 			return fmt.Errorf("error parsing leaf signing cert: %w", err)
 		}
 
-		// Only keep the intermediate cert if it's still valid, or if it's the most
-		// recently added (and thus the active signing cert).
-		if cert.NotAfter.After(now) || i == len(caRoot.IntermediateCerts) {
+		// Only keep the intermediate cert if it's still valid.
+		if cert.NotAfter.After(now) {
 			newIntermediates = append(newIntermediates, intermediatePEM)
 		}
 	}