Update docs to reflect ability to load cold CA certs to output full chains. (#3740)

helper/certutil/helpers.go

@@ -102,8 +102,8 @@ func ParsePKIJSON(input []byte) (*ParsedCertBundle, error) {
 
 // ParsePEMBundle takes a string of concatenated PEM-format certificate
 // and private key values and decodes/parses them, checking validity along
-// the way. There must be at max two certificates (a certificate and its
-// issuing certificate) and one private key.
+// the way. The first certificate must be the subject certificate and issuing
+// certificates may follow.  There must be at most one private key.
 func ParsePEMBundle(pemBundle string) (*ParsedCertBundle, error) {
 	if len(pemBundle) == 0 {
 		return nil, errutil.UserError{"empty pem bundle"}

website/source/api/secret/pki/index.html.md

@@ -175,9 +175,14 @@ $ curl \
 ## Submit CA Information
 
 This endpoint allows submitting the CA information for the backend via a PEM
-file containing the CA certificate and its private key, concatenated. Not needed
-if you are generating a self-signed root certificate, and not used if you have a
-signed intermediate CA certificate with a generated key (use the
+file containing the CA certificate and its private key, concatenated.
+
+May optionally append additional CA certificates.  Useful when creating an
+intermediate CA to ensure a full chain is returned when signing or generating
+certificates.
+
+Not needed if you are generating a self-signed root certificate, and not used
+if you have a signed intermediate CA certificate with a generated key (use the
 `/pki/intermediate/set-signed` endpoint for that). _If you have already set a
 certificate and key, they will be overridden._