From ac2bc073eb421487120eb340aaf4f5961d3cb055 Mon Sep 17 00:00:00 2001
From: Scott Bell <scott@sctsm.com>
Date: Mon, 16 May 2016 12:51:52 -0700
Subject: [PATCH] crypto/tls: document certificate chains in LoadX509KeyPair

Fixes #15348

Change-Id: I9e0e1e3a26fa4cd697d2c613e6b4952188b7c7e1
Reviewed-on: https://go-review.googlesource.com/23150
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
---
 tls.go | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/tls.go b/tls.go
index 0be0b42..25dc386 100644
--- a/tls.go
+++ b/tls.go
@@ -170,10 +170,11 @@ func Dial(network, addr string, config *Config) (*Conn, error) {
 	return DialWithDialer(new(net.Dialer), network, addr, config)
 }
 
-// LoadX509KeyPair reads and parses a public/private key pair from a pair of
-// files. The files must contain PEM encoded data. On successful return,
-// Certificate.Leaf will be nil because the parsed form of the certificate is
-// not retained.
+// LoadX509KeyPair reads and parses a public/private key pair from a pair
+// of files. The files must contain PEM encoded data. The certificate file
+// may contain intermediate certificates following the leaf certificate to
+// form a certificate chain. On successful return, Certificate.Leaf will
+// be nil because the parsed form of the certificate is not retained.
 func LoadX509KeyPair(certFile, keyFile string) (Certificate, error) {
 	certPEMBlock, err := ioutil.ReadFile(certFile)
 	if err != nil {