From 96c66137392a79b7b594aebc7babd66d6a89e321 Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Thu, 16 Feb 2023 15:56:57 -0800
Subject: [PATCH] Clarify policy lockout error message

---
 authority/policy.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/authority/policy.go b/authority/policy.go
index d3078e10..3231669c 100644
--- a/authority/policy.go
+++ b/authority/policy.go
@@ -248,7 +248,7 @@ func isAllowed(engine authPolicy.X509Policy, sans []string) error {
 		if isNamePolicyError && policyErr.Reason == policy.NotAllowed {
 			return &PolicyError{
 				Typ: AdminLockOut,
-				Err: fmt.Errorf("the provided policy would lock out %s from the CA. Please update your policy to include %s as an allowed name", sans, sans),
+				Err: fmt.Errorf("the provided policy would lock out %s from the CA. Please create an x509 policy to include %s as an allowed DNS name.", sans, sans),
 			}
 		}
 		return &PolicyError{