diff --git a/agent/connect/ca/provider_vault.go b/agent/connect/ca/provider_vault.go index 8c04edc0bf..743ea8957e 100644 --- a/agent/connect/ca/provider_vault.go +++ b/agent/connect/ca/provider_vault.go @@ -172,7 +172,7 @@ func (v *VaultProvider) GenerateIntermediate() (string, error) { "allow_any_name": true, "allowed_uri_sans": "spiffe://*", "key_type": "any", - "max_ttl": fmt.Sprintf("%.0fm", v.config.LeafCertTTL.Minutes()), + "max_ttl": v.config.LeafCertTTL.String(), "require_cn": false, }) if err != nil { @@ -227,7 +227,7 @@ func (v *VaultProvider) Sign(csr *x509.CertificateRequest) (string, error) { // Use the leaf cert role to sign a new cert for this CSR. response, err := v.client.Logical().Write(v.config.IntermediatePKIPath+"sign/"+VaultCALeafCertRole, map[string]interface{}{ "csr": pemBuf.String(), - "ttl": fmt.Sprintf("%.0fm", v.config.LeafCertTTL.Minutes()), + "ttl": v.config.LeafCertTTL.String(), }) if err != nil { return "", fmt.Errorf("error issuing cert: %v", err) diff --git a/agent/connect/ca/provider_vault_test.go b/agent/connect/ca/provider_vault_test.go index 3769d79d16..5c248e8dc4 100644 --- a/agent/connect/ca/provider_vault_test.go +++ b/agent/connect/ca/provider_vault_test.go @@ -154,7 +154,7 @@ func TestVaultCAProvider_SignLeaf(t *testing.T) { require.NotEqual(firstSerial, parsed.SerialNumber.Uint64()) // Ensure the cert is valid now and expires within the correct limit. - require.True(parsed.NotAfter.Sub(time.Now()) < 3*24*time.Hour) + require.True(parsed.NotAfter.Sub(time.Now()) < time.Hour) require.True(parsed.NotBefore.Before(time.Now())) } }