91d9544803
This fixes an issue where leaf certificates issued in primary datacenters using Vault as a Connect CA would be reissued very frequently (every ~20 seconds) because the logic meant to detect root rotation was errantly triggering. The hash of the rootCA was being compared against a hash of the intermediateCA and always failing. This doesn't apply to the Consul built-in CA provider because there is no intermediate in use in the primary DC. This is reminiscent of #6513
4 lines
140 B
Plaintext
4 lines
140 B
Plaintext
```release-note:bug
|
|
connect: connect CA Roots in the primary datacenter should use a SigningKeyID derived from their local intermediate
|
|
```
|