diff --git a/ironic_python_agent/tests/unit/test_tls_utils.py b/ironic_python_agent/tests/unit/test_tls_utils.py
index 732139a98..aaa9db78f 100644
--- a/ironic_python_agent/tests/unit/test_tls_utils.py
+++ b/ironic_python_agent/tests/unit/test_tls_utils.py
@@ -37,7 +37,8 @@ class GenerateTestCase(ironic_agent_base.IronicAgentTest):
         result = tls_utils._generate_tls_certificate(self.crt_file,
                                                      self.key_file,
                                                      'localhost', '127.0.0.1')
-        now = datetime.datetime.utcnow()
+        now = datetime.datetime.now(
+            tz=datetime.timezone.utc).replace(tzinfo=None)
         self.assertTrue(result.startswith("-----BEGIN CERTIFICATE-----\n"),
                         result)
         self.assertTrue(result.endswith("\n-----END CERTIFICATE-----\n"),
@@ -51,6 +52,8 @@ class GenerateTestCase(ironic_agent_base.IronicAgentTest):
         self.assertEqual([(x509.NameOID.COMMON_NAME, 'localhost')],
                          [(item.oid, item.value) for item in cert.subject])
         # Sanity check for validity range
+        # FIXME(dtantsur): use timezone-aware properties and drop the replace()
+        # call above when we're ready to bump to cryptography 42.0.
         self.assertLess(cert.not_valid_before,
                         now - datetime.timedelta(seconds=1800))
         self.assertGreater(cert.not_valid_after,
diff --git a/ironic_python_agent/tls_utils.py b/ironic_python_agent/tls_utils.py
index 62adec9e8..11a5e6640 100644
--- a/ironic_python_agent/tls_utils.py
+++ b/ironic_python_agent/tls_utils.py
@@ -77,9 +77,9 @@ def _generate_tls_certificate(output, private_key_output,
     ])
     alt_name = x509.SubjectAlternativeName([x509.IPAddress(ip_address)])
     allowed_clock_skew = CONF.auto_tls_allowed_clock_skew
-    not_valid_before = (datetime.datetime.utcnow()
+    not_valid_before = (datetime.datetime.now(tz=datetime.timezone.utc)
                         - datetime.timedelta(seconds=allowed_clock_skew))
-    not_valid_after = (datetime.datetime.utcnow()
+    not_valid_after = (datetime.datetime.now(tz=datetime.timezone.utc)
                        + datetime.timedelta(days=valid_for_days))
     cert = (x509.CertificateBuilder()
             .subject_name(subject)