diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go index 8217f47b267ff..2592a5bbedfbb 100644 --- a/lib/auth/auth_with_roles.go +++ b/lib/auth/auth_with_roles.go @@ -3350,8 +3350,13 @@ func (a *ServerWithRoles) generateUserCerts(ctx context.Context, req proto.UserC // If the cert is renewable, process any certificate generation counter. if certReq.renewable { currentIdentityGeneration := a.context.Identity.GetIdentity().Generation - if experiment.Enabled() { + // If we're handling a renewal for a bot, we want to return the + // Host CAs as well as the User CAs. + if certReq.botName != "" { + certReq.includeHostCA = true + } + // Update the bot instance based on this authentication. This may create // a new bot instance record if the identity is missing an instance ID. if err := a.authServer.updateBotInstance( diff --git a/lib/auth/bot_test.go b/lib/auth/bot_test.go index 293284b37f704..60e446d6c58b6 100644 --- a/lib/auth/bot_test.go +++ b/lib/auth/bot_test.go @@ -197,6 +197,9 @@ func TestRegisterBotCertificateGenerationCheck(t *testing.T) { renewedIdent, err := tlsca.FromSubject(renewedCert.Subject, renewedCert.NotAfter) require.NoError(t, err) + // Validate that we receive 2 TLS CAs (Host and User) + require.Len(t, certs.TLSCACerts, 2) + // Cert must be renewable. require.True(t, renewedIdent.Renewable) require.False(t, renewedIdent.DisallowReissue)