diff --git a/cmd/keymasterd/certgen.go b/cmd/keymasterd/certgen.go
index ce7eca97..66b809b5 100644
--- a/cmd/keymasterd/certgen.go
+++ b/cmd/keymasterd/certgen.go
@@ -65,9 +65,9 @@ func (state *RuntimeState) certGenHandler(w http.ResponseWriter, r *http.Request
 		return
 	}
 	w.(*instrumentedwriter.LoggingWriter).SetUsername(authData.Username)
-	logger.Debugf(1,
-		"Certgen, authenticated at level=%x, username=`%s`, expires=%s",
-		authData.AuthType, authData.Username, authData.ExpiresAt)
+	state.logger.Debugf(2,
+		"Certgen, authenticated at level=%x, username=`%s`, expires=%s, full=%+v",
+		authData.AuthType, authData.Username, authData.ExpiresAt, authData)
 
 	sufficientAuthLevel := false
 	// We should do an intersection operation here
diff --git a/cmd/keymasterd/jwt.go b/cmd/keymasterd/jwt.go
index 78b90d85..0ceb9e88 100644
--- a/cmd/keymasterd/jwt.go
+++ b/cmd/keymasterd/jwt.go
@@ -153,9 +153,11 @@ func (state *RuntimeState) getAuthInfoFromJWT(serializedToken,
 		err = errors.New("invalid JWT values")
 		return rvalue, err
 	}
+	state.logger.Debugf(3, "inbound jwtinfo=%+v", inboundJWT)
 	rvalue.AuthType = inboundJWT.AuthType
 	rvalue.ExpiresAt = time.Unix(inboundJWT.Expiration, 0)
-	if inboundJWT.CertNotAfter == 0 { //backwards compat
+	rvalue.CertNotAfter = time.Unix(inboundJWT.CertNotAfter, 0)
+	if inboundJWT.CertNotAfter < inboundJWT.NotBefore { //backwards compat
 		rvalue.CertNotAfter = time.Unix(inboundJWT.NotBefore, 0).Add(maxCertificateLifetime)
 	}
 	rvalue.Username = inboundJWT.Subject
diff --git a/cmd/keymasterd/main_test.go b/cmd/keymasterd/main_test.go
index 18c286c0..16c2c4b3 100644
--- a/cmd/keymasterd/main_test.go
+++ b/cmd/keymasterd/main_test.go
@@ -2,7 +2,9 @@ package main
 
 import (
 	"bytes"
+	"crypto/x509"
 	"encoding/json"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"io"
@@ -16,6 +18,7 @@ import (
 	"strconv"
 	"strings"
 	"testing"
+	"time"
 
 	"golang.org/x/time/rate"
 
@@ -294,10 +297,31 @@ func TestSuccessFullSigningX509(t *testing.T) {
 	authCookie := http.Cookie{Name: authCookieName, Value: cookieVal}
 	cookieReq.AddCookie(&authCookie)
 
-	_, err = checkRequestHandlerCode(cookieReq, state.certGenHandler, http.StatusOK)
+	rr, err := checkRequestHandlerCode(cookieReq, state.certGenHandler, http.StatusOK)
+	if err != nil {
+		t.Fatal(err)
+	}
+	resp := rr.Result()
+	pemCert, err := io.ReadAll(resp.Body)
 	if err != nil {
 		t.Fatal(err)
 	}
+	block, _ := pem.Decode(pemCert)
+	if block == nil || block.Type != "CERTIFICATE" {
+		t.Fatalf("content is not pem or a cert")
+	}
+	respCert, err := x509.ParseCertificate(block.Bytes)
+	if err != nil {
+		t.Fatal(err)
+	}
+	//Time validity
+	if respCert.NotAfter.Before(time.Now()) {
+		t.Fatalf("cert is expired notafter=%+v", respCert.NotAfter)
+	}
+	if respCert.NotBefore.After(time.Now()) {
+		t.Fatalf("cert is not valid yet")
+	}
+
 }
 
 func TestSuccessFullSigningX509BadLDAPNoGroups(t *testing.T) {