diff --git a/builtin/credential/aws/pkcs7/sign.go b/builtin/credential/aws/pkcs7/sign.go
index b64fcb11da..72b9938854 100644
--- a/builtin/credential/aws/pkcs7/sign.go
+++ b/builtin/credential/aws/pkcs7/sign.go
@@ -12,8 +12,14 @@ import (
 	"fmt"
 	"math/big"
 	"time"
+
+	"github.com/hashicorp/vault/internal"
 )
 
+func init() {
+	internal.PatchSha1()
+}
+
 // SignedData is an opaque data structure for creating signed data payloads
 type SignedData struct {
 	sd                  signedData
diff --git a/internal/go118_sha1_patch.go b/internal/go118_sha1_patch.go
index 8076166f5b..f3b3cea688 100644
--- a/internal/go118_sha1_patch.go
+++ b/internal/go118_sha1_patch.go
@@ -26,6 +26,15 @@ var debugAllowSHA1 bool
 // TODO: remove when Vault <=1.11 is no longer supported
 func PatchSha1() {
 	patchSha1.Do(func() {
+		// for Go 1.19.4 and later
+		godebug := os.Getenv("GODEBUG")
+		if godebug != "" {
+			godebug += ","
+		}
+		godebug += "x509sha1=1"
+		os.Setenv("GODEBUG", godebug)
+
+		// for Go 1.19.3 and earlier, patch the variable
 		patchBefore, err := goversion.NewSemver(sha1PatchVersionsBefore)
 		if err != nil {
 			panic(err)