diff --git a/authority/policy.go b/authority/policy.go
index d3078e10..3231669c 100644
--- a/authority/policy.go
+++ b/authority/policy.go
@@ -248,7 +248,7 @@ func isAllowed(engine authPolicy.X509Policy, sans []string) error {
 		if isNamePolicyError && policyErr.Reason == policy.NotAllowed {
 			return &PolicyError{
 				Typ: AdminLockOut,
-				Err: fmt.Errorf("the provided policy would lock out %s from the CA. Please update your policy to include %s as an allowed name", sans, sans),
+				Err: fmt.Errorf("the provided policy would lock out %s from the CA. Please create an x509 policy to include %s as an allowed DNS name.", sans, sans),
 			}
 		}
 		return &PolicyError{
diff --git a/authority/policy_test.go b/authority/policy_test.go
index 8e2e0df4..ae320536 100644
--- a/authority/policy_test.go
+++ b/authority/policy_test.go
@@ -80,7 +80,7 @@ func TestAuthority_checkPolicy(t *testing.T) {
 				},
 				err: &PolicyError{
 					Typ: AdminLockOut,
-					Err: errors.New("the provided policy would lock out [step] from the CA. Please update your policy to include [step] as an allowed name"),
+					Err: errors.New("the provided policy would lock out [step] from the CA. Please create an x509 policy to include [step] as an allowed DNS name"),
 				},
 			}
 		},