diff --git a/cmd/swarmctl/main.go b/cmd/swarmctl/main.go
index 5210830260..afccb6c461 100644
--- a/cmd/swarmctl/main.go
+++ b/cmd/swarmctl/main.go
@@ -6,7 +6,7 @@ import (
 	"github.com/docker/swarmkit/cmd/swarmctl/cluster"
 	"github.com/docker/swarmkit/cmd/swarmctl/network"
 	"github.com/docker/swarmkit/cmd/swarmctl/node"
-	"github.com/docker/swarmkit/cmd/swarmctl/secrets"
+	"github.com/docker/swarmkit/cmd/swarmctl/secret"
 	"github.com/docker/swarmkit/cmd/swarmctl/service"
 	"github.com/docker/swarmkit/cmd/swarmctl/task"
 	"github.com/docker/swarmkit/version"
@@ -55,6 +55,6 @@ func init() {
 		version.Cmd,
 		network.Cmd,
 		cluster.Cmd,
-		secrets.Cmd,
+		secret.Cmd,
 	)
 }
diff --git a/cmd/swarmctl/secrets/cmd.go b/cmd/swarmctl/secret/cmd.go
similarity index 94%
rename from cmd/swarmctl/secrets/cmd.go
rename to cmd/swarmctl/secret/cmd.go
index 0911e0ec34..50f7eb72eb 100644
--- a/cmd/swarmctl/secrets/cmd.go
+++ b/cmd/swarmctl/secret/cmd.go
@@ -1,4 +1,4 @@
-package secrets
+package secret
 
 import "github.com/spf13/cobra"
 
diff --git a/cmd/swarmctl/secrets/common.go b/cmd/swarmctl/secret/common.go
similarity index 98%
rename from cmd/swarmctl/secrets/common.go
rename to cmd/swarmctl/secret/common.go
index 03586d853a..b6d5b0d4c3 100644
--- a/cmd/swarmctl/secrets/common.go
+++ b/cmd/swarmctl/secret/common.go
@@ -1,4 +1,4 @@
-package secrets
+package secret
 
 import (
 	"fmt"
diff --git a/cmd/swarmctl/secrets/create.go b/cmd/swarmctl/secret/create.go
similarity index 98%
rename from cmd/swarmctl/secrets/create.go
rename to cmd/swarmctl/secret/create.go
index bcd3ba0e46..4214d18fc1 100644
--- a/cmd/swarmctl/secrets/create.go
+++ b/cmd/swarmctl/secret/create.go
@@ -1,4 +1,4 @@
-package secrets
+package secret
 
 import (
 	"errors"
diff --git a/cmd/swarmctl/secrets/inspect.go b/cmd/swarmctl/secret/inspect.go
similarity index 86%
rename from cmd/swarmctl/secrets/inspect.go
rename to cmd/swarmctl/secret/inspect.go
index 2e63e50b0a..e7dc82d702 100644
--- a/cmd/swarmctl/secrets/inspect.go
+++ b/cmd/swarmctl/secret/inspect.go
@@ -1,14 +1,14 @@
-package secrets
+package secret
 
 import (
 	"errors"
 	"fmt"
 	"os"
 	"text/tabwriter"
-	"time"
 
 	"github.com/docker/swarmkit/api"
 	"github.com/docker/swarmkit/cmd/swarmctl/common"
+	"github.com/docker/swarmkit/protobuf/ptypes"
 	"github.com/spf13/cobra"
 )
 
@@ -27,8 +27,7 @@ func printSecretSummary(secret *api.Secret) {
 	common.FprintfIfNotEmpty(w, "Digest\t: %s\n", secret.Digest)
 	common.FprintfIfNotEmpty(w, "Size\t: %d\n", secret.SecretSize)
 
-	created := time.Unix(int64(secret.Meta.CreatedAt.Seconds), int64(secret.Meta.CreatedAt.Nanos))
-	common.FprintfIfNotEmpty(w, "Created\t: %s\n", created.Format(time.RFC822))
+	common.FprintfIfNotEmpty(w, "Created\t: %s\n", ptypes.TimestampString(secret.Meta.CreatedAt))
 }
 
 var (
diff --git a/cmd/swarmctl/secrets/list.go b/cmd/swarmctl/secret/list.go
similarity index 83%
rename from cmd/swarmctl/secrets/list.go
rename to cmd/swarmctl/secret/list.go
index 3367dc92d2..7565407f2d 100644
--- a/cmd/swarmctl/secrets/list.go
+++ b/cmd/swarmctl/secret/list.go
@@ -1,4 +1,4 @@
-package secrets
+package secret
 
 import (
 	"errors"
@@ -6,10 +6,10 @@ import (
 	"os"
 	"sort"
 	"text/tabwriter"
-	"time"
 
 	"github.com/docker/swarmkit/api"
 	"github.com/docker/swarmkit/cmd/swarmctl/common"
+	"github.com/docker/swarmkit/protobuf/ptypes"
 	"github.com/dustin/go-humanize"
 	"github.com/spf13/cobra"
 )
@@ -19,8 +19,14 @@ type secretSorter []*api.Secret
 func (k secretSorter) Len() int      { return len(k) }
 func (k secretSorter) Swap(i, j int) { k[i], k[j] = k[j], k[i] }
 func (k secretSorter) Less(i, j int) bool {
-	iTime := time.Unix(k[i].Meta.CreatedAt.Seconds, int64(k[i].Meta.CreatedAt.Nanos))
-	jTime := time.Unix(k[j].Meta.CreatedAt.Seconds, int64(k[j].Meta.CreatedAt.Nanos))
+	iTime, err := ptypes.Timestamp(k[i].Meta.CreatedAt)
+	if err != nil {
+		panic(err)
+	}
+	jTime, err := ptypes.Timestamp(k[j].Meta.CreatedAt)
+	if err != nil {
+		panic(err)
+	}
 	return jTime.Before(iTime)
 }
 
@@ -59,7 +65,10 @@ var (
 				}()
 				common.PrintHeader(w, "ID", "Name", "Created", "Digest", "Size")
 				output = func(s *api.Secret) {
-					created := time.Unix(int64(s.Meta.CreatedAt.Seconds), int64(s.Meta.CreatedAt.Nanos))
+					created, err := ptypes.Timestamp(s.Meta.CreatedAt)
+					if err != nil {
+						panic(err)
+					}
 					fmt.Fprintf(w, "%s\t%s\t%s\t%s\t%d\n",
 						s.ID,
 						s.Spec.Annotations.Name,
diff --git a/cmd/swarmctl/secrets/remove.go b/cmd/swarmctl/secret/remove.go
similarity index 97%
rename from cmd/swarmctl/secrets/remove.go
rename to cmd/swarmctl/secret/remove.go
index 47cbb10720..517ae6e7d6 100644
--- a/cmd/swarmctl/secrets/remove.go
+++ b/cmd/swarmctl/secret/remove.go
@@ -1,4 +1,4 @@
-package secrets
+package secret
 
 import (
 	"errors"
diff --git a/manager/controlapi/secret.go b/manager/controlapi/secret.go
index 1994a874be..668cb09119 100644
--- a/manager/controlapi/secret.go
+++ b/manager/controlapi/secret.go
@@ -17,7 +17,7 @@ import (
 // MaxSecretSize is the maximum byte length of the `Secret.Spec.Data` field.
 const MaxSecretSize = 500 * 1024 // 500KB
 
-var isValidSecretName = regexp.MustCompile(`^[a-zA-Z0-9](?:[a-zA-Z0-9-_.]{0,62}[a-zA-Z0-9])*$`)
+var validSecretNameRegexp = regexp.MustCompile(`^[a-zA-Z0-9]+(?:[a-zA-Z0-9-_.]*[a-zA-Z0-9])?$`)
 
 // assumes spec is not nil
 func secretFromSecretSpec(spec *api.SecretSpec) *api.Secret {
@@ -177,7 +177,7 @@ func validateSecretSpec(spec *api.SecretSpec) error {
 func validateSecretAnnotations(m api.Annotations) error {
 	if m.Name == "" {
 		return grpc.Errorf(codes.InvalidArgument, "name must be provided")
-	} else if !isValidSecretName.MatchString(m.Name) {
+	} else if len(m.Name) > 64 || !validSecretNameRegexp.MatchString(m.Name) {
 		// if the name doesn't match the regex
 		return grpc.Errorf(codes.InvalidArgument,
 			"invalid name, only 64 [a-zA-Z0-9-_.] characters allowed, and the start and end character must be [a-zA-Z0-9]")
diff --git a/manager/controlapi/secret_test.go b/manager/controlapi/secret_test.go
index e9995afc37..53335af3ea 100644
--- a/manager/controlapi/secret_test.go
+++ b/manager/controlapi/secret_test.go
@@ -4,6 +4,7 @@ import (
 	"crypto/sha256"
 	"encoding/hex"
 	"fmt"
+	"strings"
 	"testing"
 
 	"github.com/docker/swarmkit/api"
@@ -57,7 +58,7 @@ func TestValidateSecretSpec(t *testing.T) {
 		"with:colon",
 		"with;semicolon",
 		"snowman☃",
-		"o_______________________________________________________________o", // exactly 65 characters
+		strings.Repeat("a", 65),
 	} {
 		err := validateSecretSpec(createSecretSpec(badName, []byte("valid secret"), nil))
 		assert.Error(t, err)
@@ -77,12 +78,12 @@ func TestValidateSecretSpec(t *testing.T) {
 		"0",
 		"a",
 		"A",
-		"name-with-dashes",
-		"name.with.dots",
-		"name_with_underscores",
+		"name-with--dashes",
+		"name.with..dots",
+		"name_with__underscores",
 		"name.with-all_special",
 		"02624name035with1699numbers015125",
-		"o______________________________________________________________o", // exactly 64 characters
+		strings.Repeat("a", 64),
 	} {
 		err := validateSecretSpec(createSecretSpec(goodName, []byte("valid secret"), nil))
 		assert.NoError(t, err)