From caf9892e01e864a4178da368e88e71589cd5249e Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alex.scheel@hashicorp.com>
Date: Fri, 3 Feb 2023 11:26:40 -0500
Subject: [PATCH 1/2] Use UTC for leaf exceeding CA's notAfter

When generating a leaf which exceeds the CA's validity period, Vault's
error message was confusing as the leaf would use the server's time
zone, but the CA's notAfter date would use UTC. This could cause
user confusion as the leaf's expiry might look before the latter, due
to using different time zones. E.g.:

> cannot satisfy request, as TTL would result in notAfter
> 2023-03-06T16:41:09.757694-08:00 that is beyond the expiration of
> the CA certificate at 2023-03-07T00:29:52Z

Consistently use UTC for this instead.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---
 builtin/logical/pki/cert_util.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/builtin/logical/pki/cert_util.go b/builtin/logical/pki/cert_util.go
index 22d045fb9c03..45f315c946ba 100644
--- a/builtin/logical/pki/cert_util.go
+++ b/builtin/logical/pki/cert_util.go
@@ -1392,7 +1392,7 @@ func generateCreationBundle(b *backend, data *inputBundle, caSign *certutil.CAIn
 				fallthrough
 			default:
 				return nil, nil, errutil.UserError{Err: fmt.Sprintf(
-					"cannot satisfy request, as TTL would result in notAfter %s that is beyond the expiration of the CA certificate at %s", notAfter.Format(time.RFC3339Nano), caSign.Certificate.NotAfter.Format(time.RFC3339Nano))}
+					"cannot satisfy request, as TTL would result in notAfter of %s that is beyond the expiration of the CA certificate at %s", notAfter.UTC().Format(time.RFC3339Nano), caSign.Certificate.NotAfter.UTC().Format(time.RFC3339Nano))}
 			}
 		}
 	}

From 4e27cb03323b9da7b4e59f20f47983e6436b44cd Mon Sep 17 00:00:00 2001
From: Alexander Scheel <alex.scheel@hashicorp.com>
Date: Fri, 3 Feb 2023 11:30:47 -0500
Subject: [PATCH 2/2] Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
---
 changelog/18984.txt | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 changelog/18984.txt

diff --git a/changelog/18984.txt b/changelog/18984.txt
new file mode 100644
index 000000000000..4652bf299bfe
--- /dev/null
+++ b/changelog/18984.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+secrets/pki: consistently use UTC for CA's notAfter exceeded error message
+```