From 6e286c6afe6eb6fa5c82eccba714b3e02ab9f357 Mon Sep 17 00:00:00 2001
From: Tim Buckley <tim@goteleport.com>
Date: Tue, 22 Jul 2025 19:10:05 -0600
Subject: [PATCH] MWI: Fix identity facade's `Expiry()` certificate parsing

The `Expiry()` function was trying to parse DER-encoded data in the
`tls.Certificate` as PEM, causing a silent failure. This method was
not used until #56927 but failed every time as it was trying to parse
certificates using the wrong encoding type.
---
 lib/tbot/identity/identity_facade.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/lib/tbot/identity/identity_facade.go b/lib/tbot/identity/identity_facade.go
index 59010840b3a0d..b7a81b446ca70 100644
--- a/lib/tbot/identity/identity_facade.go
+++ b/lib/tbot/identity/identity_facade.go
@@ -31,7 +31,6 @@ import (
 	"github.com/gravitational/teleport/api/client"
 	apidefaults "github.com/gravitational/teleport/api/defaults"
 	apiutils "github.com/gravitational/teleport/api/utils"
-	"github.com/gravitational/teleport/api/utils/keys"
 	"github.com/gravitational/teleport/api/utils/sshutils"
 	"github.com/gravitational/teleport/lib/defaults"
 	"github.com/gravitational/teleport/lib/utils"
@@ -212,7 +211,7 @@ func (f *Facade) Expiry() (time.Time, bool) {
 	if len(f.identity.TLSCert.Certificate) == 0 {
 		return time.Time{}, false
 	}
-	cert, _, err := keys.X509Certificate(f.identity.TLSCert.Certificate[0])
+	cert, err := x509.ParseCertificate(f.identity.TLSCert.Certificate[0])
 	if err != nil {
 		return time.Time{}, false
 	}