From 3ab81793ce3b7765fcb4a4848438e50b7de637fd Mon Sep 17 00:00:00 2001
From: Dmitriy Selyuzhitskiy <d.seluzhitskiy@gmail.com>
Date: Thu, 16 Oct 2025 19:16:36 +0300
Subject: [PATCH] VAULT-31597: fix check invalidKeyUsages slice emptiness when
 validating CA key usages

---
 builtin/logical/pki/path_root.go | 2 +-
 changelog/31597.txt              | 3 +++
 2 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 changelog/31597.txt

diff --git a/builtin/logical/pki/path_root.go b/builtin/logical/pki/path_root.go
index 7e803afc38..bca4348934 100644
--- a/builtin/logical/pki/path_root.go
+++ b/builtin/logical/pki/path_root.go
@@ -693,7 +693,7 @@ func validateCaKeyUsages(keyUsages []string) error {
 			invalidKeyUsages = append(invalidKeyUsages, fmt.Sprintf("unrecognized key usage %s", usage))
 		}
 	}
-	if invalidKeyUsages != nil {
+	if len(invalidKeyUsages) > 0 {
 		return errors.New(strings.Join(invalidKeyUsages, "; "))
 	}
 	return nil
diff --git a/changelog/31597.txt b/changelog/31597.txt
new file mode 100644
index 0000000000..23cc670f18
--- /dev/null
+++ b/changelog/31597.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+builtin/logical/pki: don't return error for valid CA Key Usages on validation
+```