From 6db1f3f937f99d410dec4112d5934f94ba9af9c6 Mon Sep 17 00:00:00 2001
From: Vault Automation <github-team-secure-vault-core@hashicorp.com>
Date: Mon, 17 Nov 2025 12:09:09 -0500
Subject: [PATCH] Change ttl from 3600 (implied type nanoseconds) to one hour
 to avoid timing race issues. (#10851) (#10855)

Co-authored-by: Kit Haines <khaines@mit.edu>
---
 builtin/logical/pki/cert_util_test.go | 20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/builtin/logical/pki/cert_util_test.go b/builtin/logical/pki/cert_util_test.go
index f7ac603210..3e17dcce76 100644
--- a/builtin/logical/pki/cert_util_test.go
+++ b/builtin/logical/pki/cert_util_test.go
@@ -156,12 +156,12 @@ func TestPki_PermitFQDNs(t *testing.T) {
 					Schema: fields,
 					Raw: map[string]interface{}{
 						"common_name": "example.com.",
-						"ttl":         3600,
+						"ttl":         time.Hour,
 					},
 				},
 				role: &issuing.RoleEntry{
 					AllowAnyName:     true,
-					MaxTTL:           3600,
+					MaxTTL:           time.Hour,
 					EnforceHostnames: true,
 				},
 			},
@@ -175,13 +175,13 @@ func TestPki_PermitFQDNs(t *testing.T) {
 					Raw: map[string]interface{}{
 						"common_name": "Example.Net",
 						"alt_names":   "eXaMPLe.COM",
-						"ttl":         3600,
+						"ttl":         time.Hour,
 					},
 				},
 				role: &issuing.RoleEntry{
 					AllowedDomains:   []string{"example.net", "EXAMPLE.COM"},
 					AllowBareDomains: true,
-					MaxTTL:           3600,
+					MaxTTL:           time.Hour,
 				},
 			},
 			expectedDnsNames: []string{"Example.Net", "eXaMPLe.COM"},
@@ -193,13 +193,13 @@ func TestPki_PermitFQDNs(t *testing.T) {
 					Schema: fields,
 					Raw: map[string]interface{}{
 						"common_name": "SUB.EXAMPLE.COM",
-						"ttl":         3600,
+						"ttl":         time.Hour,
 					},
 				},
 				role: &issuing.RoleEntry{
 					AllowedDomains:   []string{"example.com", "*.Example.com"},
 					AllowGlobDomains: true,
-					MaxTTL:           3600,
+					MaxTTL:           time.Hour,
 				},
 			},
 			expectedDnsNames: []string{"SUB.EXAMPLE.COM"},
@@ -211,13 +211,13 @@ func TestPki_PermitFQDNs(t *testing.T) {
 					Schema: fields,
 					Raw: map[string]interface{}{
 						"common_name": "test@testemail.com",
-						"ttl":         3600,
+						"ttl":         time.Hour,
 					},
 				},
 				role: &issuing.RoleEntry{
 					AllowedDomains:   []string{"test@testemail.com"},
 					AllowBareDomains: true,
-					MaxTTL:           3600,
+					MaxTTL:           time.Hour,
 				},
 			},
 			expectedDnsNames: []string{},
@@ -229,13 +229,13 @@ func TestPki_PermitFQDNs(t *testing.T) {
 					Schema: fields,
 					Raw: map[string]interface{}{
 						"common_name": "test@testemail.com",
-						"ttl":         3600,
+						"ttl":         time.Hour,
 					},
 				},
 				role: &issuing.RoleEntry{
 					AllowedDomains:   []string{"testemail.com"},
 					AllowBareDomains: true,
-					MaxTTL:           3600,
+					MaxTTL:           time.Hour,
 				},
 			},
 			expectedDnsNames: []string{},