From 3c9680709bfb39175e04aea8f0bd8ba5bd1f1653 Mon Sep 17 00:00:00 2001
From: Chris Hoffman <99742+chrishoffman@users.noreply.github.com>
Date: Tue, 19 Nov 2019 11:13:42 -0500
Subject: [PATCH] if storing the certificate, always generate/sign the
 certificate on the primary

---
 builtin/logical/pki/path_issue_sign.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/builtin/logical/pki/path_issue_sign.go b/builtin/logical/pki/path_issue_sign.go
index 8df1a7c50c37..3f5a4631dd36 100644
--- a/builtin/logical/pki/path_issue_sign.go
+++ b/builtin/logical/pki/path_issue_sign.go
@@ -9,6 +9,7 @@ import (
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/certutil"
+	"github.com/hashicorp/vault/sdk/helper/consts"
 	"github.com/hashicorp/vault/sdk/helper/errutil"
 	"github.com/hashicorp/vault/sdk/logical"
 )
@@ -188,6 +189,11 @@ func (b *backend) pathSignVerbatim(ctx context.Context, req *logical.Request, da
 }
 
 func (b *backend) pathIssueSignCert(ctx context.Context, req *logical.Request, data *framework.FieldData, role *roleEntry, useCSR, useCSRValues bool) (*logical.Response, error) {
+	// If storing the certificate and on a performance standby, forward this request on to the primary
+	if !role.NoStore && b.System().ReplicationState().HasState(consts.ReplicationPerformanceStandby) {
+		return nil, logical.ErrReadOnly
+	}
+
 	format := getFormat(data)
 	if format == "" {
 		return logical.ErrorResponse(