From 96c66137392a79b7b594aebc7babd66d6a89e321 Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Thu, 16 Feb 2023 15:56:57 -0800
Subject: [PATCH 1/2] Clarify policy lockout error message

---
 authority/policy.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/authority/policy.go b/authority/policy.go
index d3078e10..3231669c 100644
--- a/authority/policy.go
+++ b/authority/policy.go
@@ -248,7 +248,7 @@ func isAllowed(engine authPolicy.X509Policy, sans []string) error {
 		if isNamePolicyError && policyErr.Reason == policy.NotAllowed {
 			return &PolicyError{
 				Typ: AdminLockOut,
-				Err: fmt.Errorf("the provided policy would lock out %s from the CA. Please update your policy to include %s as an allowed name", sans, sans),
+				Err: fmt.Errorf("the provided policy would lock out %s from the CA. Please create an x509 policy to include %s as an allowed DNS name.", sans, sans),
 			}
 		}
 		return &PolicyError{

From cfcc95de93d851950c899bfaadc9f2a73ff64bcf Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Thu, 16 Feb 2023 15:58:36 -0800
Subject: [PATCH 2/2] Update policy test

---
 authority/policy_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/authority/policy_test.go b/authority/policy_test.go
index 8e2e0df4..ae320536 100644
--- a/authority/policy_test.go
+++ b/authority/policy_test.go
@@ -80,7 +80,7 @@ func TestAuthority_checkPolicy(t *testing.T) {
 				},
 				err: &PolicyError{
 					Typ: AdminLockOut,
-					Err: errors.New("the provided policy would lock out [step] from the CA. Please update your policy to include [step] as an allowed name"),
+					Err: errors.New("the provided policy would lock out [step] from the CA. Please create an x509 policy to include [step] as an allowed DNS name"),
 				},
 			}
 		},