From 63fcb1a3275bdf18de0314ed16947709f8013406 Mon Sep 17 00:00:00 2001
From: Ying Li <ying.li@docker.com>
Date: Wed, 7 Jun 2017 16:33:32 -0700
Subject: [PATCH] Ensure that the test CA, if an external CA is desired, does
 not have a local signer.

Signed-off-by: Ying Li <ying.li@docker.com>
---
 ca/testutils/cautils.go | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

diff --git a/ca/testutils/cautils.go b/ca/testutils/cautils.go
index a1cce37f04..faac47cf9c 100644
--- a/ca/testutils/cautils.go
+++ b/ca/testutils/cautils.go
@@ -144,12 +144,28 @@ func NewTestCAFromAPIRootCA(t *testing.T, tempBaseDir string, apiRootCA api.Root
 
 	if External {
 		// Start the CA API server - ensure that the external server doesn't have any intermediates
-		externalSigningServer, err = NewExternalSigningServer(rootCA, tempBaseDir)
-		assert.NoError(t, err)
+		var extRootCA ca.RootCA
+		if apiRootCA.RootRotation != nil {
+			extRootCA, err = ca.NewRootCA(
+				apiRootCA.RootRotation.CACert, apiRootCA.RootRotation.CACert, apiRootCA.RootRotation.CAKey, ca.DefaultNodeCertExpiration, nil)
+			// remove the key from the API root CA so that once the CA server starts up, it won't have a local signer
+			apiRootCA.RootRotation.CAKey = nil
+		} else {
+			extRootCA, err = ca.NewRootCA(
+				apiRootCA.CACert, apiRootCA.CACert, apiRootCA.CAKey, ca.DefaultNodeCertExpiration, nil)
+			// remove the key from the API root CA so that once the CA server starts up, it won't have a local signer
+			apiRootCA.CAKey = nil
+		}
+		require.NoError(t, err)
+
+		externalSigningServer, err = NewExternalSigningServer(extRootCA, tempBaseDir)
+		require.NoError(t, err)
+
 		externalCAs = []*api.ExternalCA{
 			{
 				Protocol: api.ExternalCA_CAProtocolCFSSL,
 				URL:      externalSigningServer.URL,
+				CACert:   extRootCA.Certs,
 			},
 		}
 	}