diff --git a/ca/certificates_test.go b/ca/certificates_test.go
index 8ab9383f0c..ab488ad505 100644
--- a/ca/certificates_test.go
+++ b/ca/certificates_test.go
@@ -619,6 +619,14 @@ func TestNewRootCAInvalidCertAndKeys(t *testing.T) {
 	notYetValidIntermediate := testutils.ReDateCert(t, testutils.ECDSACertChain[1],
 		testutils.ECDSACertChain[2], testutils.ECDSACertChainKeys[2], now.Add(time.Hour), now.Add(2*time.Hour))
 
+	certChainRootCA, err := ca.NewRootCA(testutils.ECDSACertChain[2], testutils.ECDSACertChain[2], testutils.ECDSACertChainKeys[2],
+		ca.DefaultNodeCertExpiration, nil)
+	require.NoError(t, err)
+
+	cert, _, _ := testutils.CreateRootCertAndKey("alternateIntermediate")
+	alternateIntermediate, err := certChainRootCA.CrossSignCACertificate(cert)
+	require.NoError(t, err)
+
 	invalids := []invalidNewRootCATestCase{
 		// invalid root or signer cert
 		{
@@ -772,6 +780,13 @@ func TestNewRootCAInvalidCertAndKeys(t *testing.T) {
 			intermediates: testutils.ECDSA256SHA256Cert,
 			errorStr:      "unknown authority", // intermediates don't chain up to root
 		},
+		{
+			roots:         testutils.ECDSACertChain[2],
+			cert:          testutils.ECDSACertChain[1],
+			key:           testutils.ECDSACertChainKeys[1],
+			intermediates: alternateIntermediate,
+			errorStr:      "the first intermediate must have the same subject and public key as the signing cert",
+		},
 	}
 
 	for i, invalid := range invalids {
diff --git a/ca/server.go b/ca/server.go
index b78c00f396..767f66d42e 100644
--- a/ca/server.go
+++ b/ca/server.go
@@ -542,7 +542,6 @@ func (s *Server) UpdateRootCA(ctx context.Context, cluster *api.Cluster) error {
 
 	s.secConfigMu.Lock()
 	defer s.secConfigMu.Unlock()
-	var err error
 	rCA := cluster.RootCA
 	rootCAChanged := len(rCA.CACert) != 0 && !equality.RootCAEqualStable(s.lastSeenClusterRootCA, &cluster.RootCA)
 	externalCAChanged := !equality.ExternalCAsEqualStable(s.lastSeenExternalCAs, cluster.Spec.CAConfig.ExternalCAs)
@@ -565,7 +564,7 @@ func (s *Server) UpdateRootCA(ctx context.Context, cluster *api.Cluster) error {
 			}
 		} else {
 			// NodeCertExpiry seems to be nil
-			logger.WithError(err).Warn("failed to parse certificate expiration, using default")
+			logger.Warn("no certificate expiration specified, using default")
 		}
 		// Attempt to update our local RootCA with the new parameters
 		var intermediates []byte