diff --git a/authority/provisioner/controller.go b/authority/provisioner/controller.go
index 0ca40267..063ab50c 100644
--- a/authority/provisioner/controller.go
+++ b/authority/provisioner/controller.go
@@ -3,6 +3,7 @@ package provisioner
 import (
 	"context"
 	"crypto/x509"
+	"net/http"
 	"regexp"
 	"strings"
 	"time"
@@ -131,7 +132,9 @@ func DefaultAuthorizeRenew(ctx context.Context, p *Controller, cert *x509.Certif
 		return errs.Unauthorized("certificate is not yet valid" + " " + now.UTC().Format(time.RFC3339Nano) + " vs " + cert.NotBefore.Format(time.RFC3339Nano))
 	}
 	if now.After(cert.NotAfter) && !p.Claimer.AllowRenewalAfterExpiry() {
-		return errs.Unauthorized("certificate has expired")
+		// return a custom 401 Unauthorized error with a clearer message for the client
+		// TODO(hs): these errors likely need to be refactored as a whole; HTTP status codes shouldn't be in this layer.
+		return errs.New(http.StatusUnauthorized, "The request lacked necessary authorization to be completed: certificate expired on %s", cert.NotAfter)
 	}
 
 	return nil