diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go index 22d045fb9..45f315c94 100644 --- a/builtin/logical/pki/cert_util.go +++ b/builtin/logical/pki/cert_util.go @@ -1392,7 +1392,7 @@ func generateCreationBundle(b *backend, data *inputBundle, caSign *certutil.CAIn fallthrough default: return nil, nil, errutil.UserError{Err: fmt.Sprintf( - "cannot satisfy request, as TTL would result in notAfter %s that is beyond the expiration of the CA certificate at %s", notAfter.Format(time.RFC3339Nano), caSign.Certificate.NotAfter.Format(time.RFC3339Nano))} + "cannot satisfy request, as TTL would result in notAfter of %s that is beyond the expiration of the CA certificate at %s", notAfter.UTC().Format(time.RFC3339Nano), caSign.Certificate.NotAfter.UTC().Format(time.RFC3339Nano))} } } } diff --git a/changelog/18984.txt b/changelog/18984.txt new file mode 100644 index 000000000..4652bf299 --- /dev/null +++ b/changelog/18984.txt @@ -0,0 +1,3 @@ +```release-note:bug +secrets/pki: consistently use UTC for CA's notAfter exceeded error message +```