diff --git a/trustpinning/certs.go b/trustpinning/certs.go
index 1187c40e7e..4ad275efde 100644
--- a/trustpinning/certs.go
+++ b/trustpinning/certs.go
@@ -123,7 +123,7 @@ func ValidateRoot(certStore trustmanager.X509Store, root *data.Signed, gun strin
 			return &ErrValidationFail{Reason: "failed to validate data with current trusted certificates"}
 		}
 	} else {
-		logrus.Debugf("found no currently valid root certificates for %s, using trust_pinning config to bootstrap trust:", gun, trustPinning)
+		logrus.Debugf("found no currently valid root certificates for %s, using trust_pinning config to bootstrap trust", gun)
 		trustPinCheckFunc, err := NewTrustPinChecker(trustPinning, gun)
 		if err != nil {
 			return &ErrValidationFail{Reason: err.Error()}
@@ -275,6 +275,11 @@ func parseAllCerts(signedRoot *data.SignedRoot) (map[string]*x509.Certificate, m
 			logrus.Debugf("invalid chain due to leaf certificate missing or too many leaf certificates for keyID: %s", keyID)
 			continue
 		}
+		// If we found a leaf certificate, assert that the cert bundle started with a leaf
+		if decodedCerts[0].IsCA {
+			logrus.Debugf("invalid chain due to leaf certificate not being first certificate for keyID: %s", keyID)
+			continue
+		}
 
 		// Get the ID of the leaf certificate
 		leafCert := leafCertList[0]
diff --git a/trustpinning/certs_test.go b/trustpinning/certs_test.go
index e1644709c0..4b64778931 100644
--- a/trustpinning/certs_test.go
+++ b/trustpinning/certs_test.go
@@ -202,10 +202,11 @@ func TestValidateRoot(t *testing.T) {
 	require.Equal(t, err, &ErrValidationFail{Reason: "unable to retrieve valid leaf certificates"})
 
 	//
-	// This call to ValidateRoot will succeed in getting to the TUF validation, since
+	// This call to ValidateRoot could succeed in getting to the TUF validation, since
 	// we are using a valid PEM encoded certificate chain of intermediate + leaf cert
 	// that are signed by a trusted root authority and the leaf cert has a correct CN.
-	// It will, however, fail to validate, because it has an invalid TUF signature
+	// It will, however, fail to validate, because the leaf cert does not precede the
+	// intermediate in the certificate bundle
 	//
 	// Execute our template deleting the old buffer first
 	signedRootBytes.Reset()
@@ -217,7 +218,7 @@ func TestValidateRoot(t *testing.T) {
 
 	err = ValidateRoot(certStore, &testSignedRoot, "secure.example.com", TrustPinConfig{})
 	require.Error(t, err, "An error was expected")
-	require.Equal(t, err, &ErrValidationFail{Reason: "failed to validate integrity of roots"})
+	require.Equal(t, err, &ErrValidationFail{Reason: "unable to retrieve valid leaf certificates"})
 }
 
 func TestValidateRootWithoutTOFUS(t *testing.T) {