diff --git a/changelog/29128.txt b/changelog/29128.txt
new file mode 100644
index 000000000000..ce458a0800ff
--- /dev/null
+++ b/changelog/29128.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+vault/diagnose: Fix time to expiration reporting within the TLS verification to not be a month off.
+```
diff --git a/vault/diagnose/tls_verification.go b/vault/diagnose/tls_verification.go
index 7632e69d522f..be5603fcd614 100644
--- a/vault/diagnose/tls_verification.go
+++ b/vault/diagnose/tls_verification.go
@@ -270,15 +270,17 @@ func TLSFileWarningChecks(leafCerts, interCerts, rootCerts []*x509.Certificate)
 	return warnings, nil
 }
 
-// NearExpiration returns a true if a certficate will expire in a month and false otherwise
+// NearExpiration returns a true if a certificate will expire in a month
+// and false otherwise, along with the duration until the certificate expires
+// which can be a negative duration if the certificate has already expired.
 func NearExpiration(c *x509.Certificate) (bool, time.Duration) {
-	oneMonthFromNow := time.Now().Add(30 * 24 * time.Hour)
-	var timeToExpiry time.Duration
-	if oneMonthFromNow.After(c.NotAfter) {
-		timeToExpiry := oneMonthFromNow.Sub(c.NotAfter)
-		return true, timeToExpiry
-	}
-	return false, timeToExpiry
+	now := time.Now()
+	timeToExpiry := c.NotAfter.Sub(now)
+
+	oneMonthFromNow := now.Add(30 * 24 * time.Hour)
+	isNearExpiration := oneMonthFromNow.After(c.NotAfter)
+
+	return isNearExpiration, timeToExpiry
 }
 
 // TLSMutualExclusionCertCheck returns error if both TLSDisableClientCerts and TLSRequireAndVerifyClientCert are set