diff --git a/authority/policy.go b/authority/policy.go
index 3231669c..38a57bec 100644
--- a/authority/policy.go
+++ b/authority/policy.go
@@ -248,7 +248,7 @@ func isAllowed(engine authPolicy.X509Policy, sans []string) error {
 		if isNamePolicyError && policyErr.Reason == policy.NotAllowed {
 			return &PolicyError{
 				Typ: AdminLockOut,
-				Err: fmt.Errorf("the provided policy would lock out %s from the CA. Please create an x509 policy to include %s as an allowed DNS name.", sans, sans),
+				Err: fmt.Errorf("the provided policy would lock out %s from the CA. Please create an x509 policy to include %s as an allowed DNS name", sans, sans),
 			}
 		}
 		return &PolicyError{
diff --git a/authority/policy_test.go b/authority/policy_test.go
index ae320536..672ca489 100644
--- a/authority/policy_test.go
+++ b/authority/policy_test.go
@@ -127,7 +127,7 @@ func TestAuthority_checkPolicy(t *testing.T) {
 				},
 				err: &PolicyError{
 					Typ: AdminLockOut,
-					Err: errors.New("the provided policy would lock out [otherAdmin] from the CA. Please update your policy to include [otherAdmin] as an allowed name"),
+					Err: errors.New("the provided policy would lock out [otherAdmin] from the CA. Please create an x509 policy to include [otherAdmin] as an allowed DNS name"),
 				},
 			}
 		},
diff --git a/cmd/step-ca/main.go b/cmd/step-ca/main.go
index 937f0186..11756b93 100644
--- a/cmd/step-ca/main.go
+++ b/cmd/step-ca/main.go
@@ -52,7 +52,6 @@ var (
 func init() {
 	step.Set("Smallstep CA", Version, BuildTime)
 	authority.GlobalVersion.Version = Version
-	//nolint:staticcheck // deprecated in Go 1.20
 	rand.Seed(time.Now().UnixNano())
 	// Add support for asking passwords
 	pemutil.PromptPassword = func(msg string) ([]byte, error) {