diff --git a/builtin/logical/pki/path_intermediate.go b/builtin/logical/pki/path_intermediate.go
index 29862dd3e..ce172c97a 100644
--- a/builtin/logical/pki/path_intermediate.go
+++ b/builtin/logical/pki/path_intermediate.go
@@ -63,6 +63,17 @@ func (b *backend) pathGenerateIntermediate(ctx context.Context, req *logical.Req
 		data.Raw["exported"] = "existing"
 	}
 
+	// Nasty hack part two. :-) For generation of CSRs, certutil presently doesn't
+	// support configuration of this. However, because we need generation parameters,
+	// which create a role and attempt to read this parameter, we need to provide
+	// a value (which will be ignored). Hence, we stub in the missing parameter here,
+	// including its schema, just enough for it to work..
+	data.Schema["signature_bits"] = &framework.FieldSchema{
+		Type:    framework.TypeInt,
+		Default: 0,
+	}
+	data.Raw["signature_bits"] = 0
+
 	exported, format, role, errorResp := b.getGenerationParams(ctx, req.Storage, data)
 	if errorResp != nil {
 		return errorResp, nil
diff --git a/builtin/logical/pki/path_manage_issuers.go b/builtin/logical/pki/path_manage_issuers.go
index 9bce9f000..361be59aa 100644
--- a/builtin/logical/pki/path_manage_issuers.go
+++ b/builtin/logical/pki/path_manage_issuers.go
@@ -78,6 +78,12 @@ workaround in some compatibility scenarios
 with Active Directory Certificate Services.`,
 	}
 
+	// Signature bits isn't respected on intermediate generation, as this
+	// only impacts the CSR's internal signature and doesn't impact the
+	// signed certificate's bits (that's on the /sign-intermediate
+	// endpoints). Remove it from the list of fields to avoid confusion.
+	delete(ret.Fields, "signature_bits")
+
 	return ret
 }
 
diff --git a/changelog/15478.txt b/changelog/15478.txt
new file mode 100644
index 000000000..4e353917e
--- /dev/null
+++ b/changelog/15478.txt
@@ -0,0 +1,3 @@
+```release-note:change
+secret/pki: Remove unused signature_bits parameter from intermediate CSR generation; this parameter doesn't control the final certificate's signature algorithm selection as that is up to the signing CA
+```