diff --git a/keystone/exception.py b/keystone/exception.py
index a01fc4ee2..f32e97333 100644
--- a/keystone/exception.py
+++ b/keystone/exception.py
@@ -69,6 +69,15 @@ class ValidationError(Error):
     title = 'Bad Request'
 
 
+class ValidationTimeStampError(Error):
+    message_format = _("Timestamp not in expected format."
+                       " The server could not comply with the request"
+                       " since it is either malformed or otherwise"
+                       " incorrect. The client is assumed to be in error.")
+    code = 400
+    title = 'Bad Request'
+
+
 class StringLengthExceeded(ValidationError):
     message_format = _("String length exceeded.The length of"
                        " string '%(string)s' exceeded the limit"
diff --git a/keystone/tests/test_auth.py b/keystone/tests/test_auth.py
index 353f14ed8..d07c336e7 100644
--- a/keystone/tests/test_auth.py
+++ b/keystone/tests/test_auth.py
@@ -661,6 +661,17 @@ class AuthWithTrust(AuthTest):
         for role in self.new_trust['roles']:
             self.assertIn(role['id'], role_ids)
 
+    def test_create_trust_expires_bad(self):
+        self.assertRaises(exception.ValidationTimeStampError,
+                          self.create_trust,
+                          expires_at="bad")
+        self.assertRaises(exception.ValidationTimeStampError,
+                          self.create_trust,
+                          expires_at="")
+        self.assertRaises(exception.ValidationTimeStampError,
+                          self.create_trust,
+                          expires_at="Z")
+
     def test_get_trust(self):
         context = {'token_id': self.unscoped_token['access']['token']['id']}
         trust = self.trust_controller.get_trust(context,
diff --git a/keystone/trust/controllers.py b/keystone/trust/controllers.py
index c3d0ae3aa..42e1a6793 100644
--- a/keystone/trust/controllers.py
+++ b/keystone/trust/controllers.py
@@ -171,8 +171,11 @@ class TrustV3(controller.V3Controller):
             if trust.get('expires_at') is not None:
                 if not trust['expires_at'].endswith('Z'):
                     trust['expires_at'] += 'Z'
-                trust['expires_at'] = (timeutils.parse_isotime
-                                       (trust['expires_at']))
+                try:
+                    trust['expires_at'] = (timeutils.parse_isotime
+                                           (trust['expires_at']))
+                except ValueError:
+                    raise exception.ValidationTimeStampError()
             new_trust = self.trust_api.create_trust(
                 trust_id=uuid.uuid4().hex,
                 trust=trust,