From 4c9dccd3f6bf891fe1f6e3f38747398e98837521 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Mon, 4 Feb 2019 10:29:52 -0800
Subject: [PATCH] Allow multiple certificates in the root pem.

---
 ca/client.go | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/ca/client.go b/ca/client.go
index e138698f..5c539da7 100644
--- a/ca/client.go
+++ b/ca/client.go
@@ -12,7 +12,6 @@ import (
 	"crypto/x509/pkix"
 	"encoding/hex"
 	"encoding/json"
-	"encoding/pem"
 	"io"
 	"io/ioutil"
 	"net"
@@ -116,16 +115,10 @@ func getTransportFromFile(filename string) (http.RoundTripper, error) {
 	if err != nil {
 		return nil, errors.Wrapf(err, "error reading %s", filename)
 	}
-	block, _ := pem.Decode(data)
-	if block == nil {
-		return nil, errors.Errorf("error decoding %s", filename)
-	}
-	root, err := x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		return nil, errors.Wrapf(err, "error parsing %s", filename)
-	}
 	pool := x509.NewCertPool()
-	pool.AddCert(root)
+	if !pool.AppendCertsFromPEM(data) {
+		return nil, errors.Errorf("error parsing %s: no certificates found", filename)
+	}
 	return getDefaultTransport(&tls.Config{
 		MinVersion:               tls.VersionTLS12,
 		PreferServerCipherSuites: true,