diff --git a/cmd/menshen/main.go b/cmd/menshen/main.go
index af43472f63d6760facd7d07f2ad65bcef2e3046e..2e1a6e7e2b17326d459eda92ef565392d18835a8 100644
--- a/cmd/menshen/main.go
+++ b/cmd/menshen/main.go
@@ -196,50 +196,44 @@ func main() {
 	}
 
 	if cfg.CaFile == "" {
-		log.Info("No CaFile is specified in the environment, relying on trusted certs installed on the system")
+		log.Errorf("Error: parameter %s is required", caFile)
+		os.Exit(1)
+	} else if _, err := os.Stat(cfg.CaFile); err != nil {
+		log.Errorf("Error: Could not load CaFile. %s", err)
+		os.Exit(1)
 	} else {
-		if _, err := os.Stat(cfg.CaFile); err != nil {
-			log.Errorf("Error: Could not load CaFile. %s", err)
-			os.Exit(1)
-		} else {
-			log.Debugf("Using %s as CaFile", cfg.CaFile)
-		}
+		log.Debugf("Using %s as CaFile", cfg.CaFile)
 	}
 
 	// either clientcertURL or else cfg.OvpnCaCrt, cfg.OvpnCaKey, cfg.Algo are required for local cert generation
 	if cfg.ClientCertURL != "" {
 		log.Infof("Configuring menshen to fetch certs form remote URL: %s", cfg.ClientCertURL)
 	} else {
-
 		if cfg.OvpnCaCrt == "" {
 			log.Errorf("Error: parameter --%s is required.", ovpnCaCrt)
 			log.Errorf("Please specify a file containing the CA certificate required for generating openvpn client certificate.")
 			os.Exit(1)
+		} else if _, err := os.Stat(cfg.OvpnCaCrt); err != nil {
+			log.Errorf("Error: Could not load %s. %s", ovpnCaCrt, err)
+			os.Exit(1)
 		} else {
-			if _, err := os.Stat(cfg.OvpnCaCrt); err != nil {
-				log.Errorf("Error: Could not load %s. %s", ovpnCaCrt, err)
-				os.Exit(1)
-			} else {
-				log.Debug(fmt.Sprintf("Using %s as %s", cfg.OvpnCaCrt, ovpnCaCrt))
-			}
+			log.Debug(fmt.Sprintf("Using %s as %s", cfg.OvpnCaCrt, ovpnCaCrt))
 		}
 
 		if cfg.OvpnCaKey == "" {
 			log.Errorf("Error: parameter --%s is required.", ovpnCaKey)
 			log.Errorf("Please specify a file containing the CA key required for signing openvpn client certificate.")
 			os.Exit(1)
+		} else if _, err := os.Stat(cfg.OvpnCaKey); err != nil {
+			log.Errorf("Error: Could not load %s. %s", ovpnCaKey, err)
+			os.Exit(1)
 		} else {
-			if _, err := os.Stat(cfg.OvpnCaKey); err != nil {
-				log.Errorf("Error: Could not load %s. %s", ovpnCaKey, err)
-				os.Exit(1)
-			} else {
-				log.Debugf("Using %s as %s", cfg.OvpnCaKey, ovpnCaKey)
-			}
+			log.Debugf("Using %s as %s", cfg.OvpnCaKey, ovpnCaKey)
 		}
 
-		if cfg.Algo != "ed25519" && cfg.Algo != "ecdsa" {
+		if cfg.Algo != "ed25519" && cfg.Algo != "ecdsa" && cfg.Algo != "rsa" {
 			log.Errorf("Error: parameter --%s %s is not supported.", algo, cfg.Algo)
-			log.Errorf("Please specify a supported algo for cert generation. Currently supported algorithms are: ed25519, ecdsa.")
+			log.Errorf("Please specify a supported algo for cert generation. Currently supported algorithms are: ed25519, ecdsa, rsa.")
 			os.Exit(1)
 		}
 	}
diff --git a/pkg/api/cert.go b/pkg/api/cert.go
index c61378ca1f051c8e33ab85ad5cf0043c49ef27dc..c4f81b81905b4449d69711dd0b86462e143fc052 100644
--- a/pkg/api/cert.go
+++ b/pkg/api/cert.go
@@ -174,7 +174,7 @@ func (r *registry) CertWriter(ovpnCaCrt string, ovpnCaKey string, algo string, e
 
 	if addRootCa {
 		// Write the ca cert
-		if err = writeCACertificate(addEnvelope, &buf, ca.Raw); err != nil {
+		if err = writeCACertificate(addEnvelope, &buf, r.ca); err != nil {
 			return "", err
 		}
 	}
@@ -226,12 +226,12 @@ func writeVpnCertificate(addEnvelope bool, buf io.Writer, keyBytes []byte) error
 	return nil
 }
 
-func writeCACertificate(addEnvelope bool, buf io.Writer, keyBytes []byte) error {
+func writeCACertificate(addEnvelope bool, buf io.Writer, pemRootCA string) error {
 	if err := maybeAddEnvelope(addEnvelope, buf, "<ca>"); err != nil {
 		return err
 	}
 
-	err := pem.Encode(buf, &pem.Block{Type: "CERTIFICATE", Bytes: keyBytes})
+	_, err := buf.Write([]byte(fmt.Sprintf("%s\n", pemRootCA)))
 	if err != nil {
 		return err
 	}
diff --git a/pkg/api/registry.go b/pkg/api/registry.go
index 4c0c748e2ef5365ed05e9424876538333def3fa9..3ff03915db4a2d214b4d8e4af83ea7278a89a010 100644
--- a/pkg/api/registry.go
+++ b/pkg/api/registry.go
@@ -46,8 +46,9 @@ type registry struct {
 	lm *latency.Metric
 
 	clientCertURL string
-	ca            string
-	provider      m.Provider
+	// ca is the pem formatted root ca
+	ca       string
+	provider m.Provider
 
 	// This is the amount of milliseconds to wait since the last heartbeat from a bridge or gateway before
 	// removing them from the resources that are returned to clients.