diff --git a/vault/core.go b/vault/core.go
index 17d851a612..92a43ff950 100644
--- a/vault/core.go
+++ b/vault/core.go
@@ -602,9 +602,6 @@ func (c *Core) postUnseal() error {
 	if err := c.setupMounts(); err != nil {
 		return err
 	}
-	if err := c.setupExpiration(); err != nil {
-		return err
-	}
 	if err := c.startRollback(); err != nil {
 		return err
 	}
@@ -617,12 +614,18 @@ func (c *Core) postUnseal() error {
 	if err := c.setupCredentials(); err != nil {
 		return nil
 	}
+	if err := c.setupExpiration(); err != nil {
+		return err
+	}
 	return nil
 }
 
 // preSeal is invoked before the barrier is sealed, allowing
 // for any state teardown required.
 func (c *Core) preSeal() error {
+	if err := c.stopExpiration(); err != nil {
+		return err
+	}
 	if err := c.teardownCredentials(); err != nil {
 		return err
 	}
@@ -632,9 +635,6 @@ func (c *Core) preSeal() error {
 	if err := c.stopRollback(); err != nil {
 		return err
 	}
-	if err := c.stopExpiration(); err != nil {
-		return err
-	}
 	if err := c.unloadMounts(); err != nil {
 		return err
 	}
diff --git a/vault/expiration.go b/vault/expiration.go
index 1a3ae97766..9b45f8455d 100644
--- a/vault/expiration.go
+++ b/vault/expiration.go
@@ -33,9 +33,10 @@ const (
 // If a secret is not renewed in timely manner, it may be expired, and
 // the ExpirationManager will handle doing automatic revocation.
 type ExpirationManager struct {
-	router *Router
-	view   *BarrierView
-	logger *log.Logger
+	router     *Router
+	view       *BarrierView
+	tokenStore *TokenStore
+	logger     *log.Logger
 
 	pending     map[string]*time.Timer
 	pendingLock sync.Mutex
@@ -43,15 +44,16 @@ type ExpirationManager struct {
 
 // NewExpirationManager creates a new ExpirationManager that is backed
 // using a given view, and uses the provided router for revocation.
-func NewExpirationManager(router *Router, view *BarrierView, logger *log.Logger) *ExpirationManager {
+func NewExpirationManager(router *Router, view *BarrierView, ts *TokenStore, logger *log.Logger) *ExpirationManager {
 	if logger == nil {
 		logger = log.New(os.Stderr, "", log.LstdFlags)
 	}
 	exp := &ExpirationManager{
-		router:  router,
-		view:    view,
-		logger:  logger,
-		pending: make(map[string]*time.Timer),
+		router:     router,
+		view:       view,
+		tokenStore: ts,
+		logger:     logger,
+		pending:    make(map[string]*time.Timer),
 	}
 	return exp
 }
@@ -63,7 +65,7 @@ func (c *Core) setupExpiration() error {
 	view := c.systemView.SubView(expirationSubPath)
 
 	// Create the manager
-	mgr := NewExpirationManager(c.router, view, c.logger)
+	mgr := NewExpirationManager(c.router, view, c.tokenStore, c.logger)
 	c.expiration = mgr
 
 	// Restore the existing state
diff --git a/vault/expiration_test.go b/vault/expiration_test.go
index 566513895a..ed76a6ce40 100644
--- a/vault/expiration_test.go
+++ b/vault/expiration_test.go
@@ -29,9 +29,11 @@ func mockExpiration(t *testing.T) *ExpirationManager {
 	// Create the barrier view
 	view := NewBarrierView(b, "expire/")
 
+	_, ts := mockTokenStore(t)
+
 	router := NewRouter()
 	logger := log.New(os.Stderr, "", log.LstdFlags)
-	return NewExpirationManager(router, view, logger)
+	return NewExpirationManager(router, view, ts, logger)
 }
 
 func TestExpiration_Restore(t *testing.T) {