diff --git a/src/pki/command.h b/src/pki/command.h
index deb1ba535..9cf036bf2 100644
--- a/src/pki/command.h
+++ b/src/pki/command.h
@@ -29,7 +29,7 @@
 /**
  * Maximum number of options in a command (+3)
  */
-#define MAX_OPTIONS 32
+#define MAX_OPTIONS 36
 
 /**
  * Maximum number of usage summary lines (+1)
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index c2a120fca..8d38e2c5a 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -72,8 +72,8 @@ static int issue()
 	int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
 	chunk_t serial = chunk_empty;
 	chunk_t encoding = chunk_empty;
-	time_t lifetime = 1095;
-	time_t not_before, not_after;
+	time_t not_before, not_after, lifetime = 1095 * 24 * 60 * 60;
+	char *datenb = NULL, *datena = NULL, *dateform = NULL;
 	x509_flag_t flags = 0;
 	x509_t *x509;
 	x509_cdp_t *cdp = NULL;
@@ -132,13 +132,22 @@ static int issue()
 				san->insert_last(san, identification_create_from_string(arg));
 				continue;
 			case 'l':
-				lifetime = atoi(arg);
+				lifetime = atoi(arg) * 24 * 60 * 60;
 				if (!lifetime)
 				{
 					error = "invalid --lifetime value";
 					goto usage;
 				}
 				continue;
+			case 'D':
+				dateform = arg;
+				continue;
+			case 'F':
+				datenb = arg;
+				continue;
+			case 'T':
+				datena = arg;
+				continue;
 			case 's':
 				hex = arg;
 				continue;
@@ -285,6 +294,12 @@ static int issue()
 		error = "--cakey or --keyid is required";
 		goto usage;
 	}
+	if (!calculate_lifetime(dateform, datenb, datena, lifetime,
+							&not_before, &not_after))
+	{
+		error = "invalid --not-before/after datetime";
+		goto usage;
+	}
 	if (dn && *dn)
 	{
 		id = identification_create_from_string(dn);
@@ -455,9 +470,6 @@ static int issue()
 										chunk_from_chars(ASN1_SEQUENCE, 0));
 	}
 
-	not_before = time(NULL);
-	not_after = not_before + lifetime * 24 * 60 * 60;
-
 	cert = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509,
 					BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
 					BUILD_PUBLIC_KEY, public, BUILD_SUBJECT, id,
@@ -553,6 +565,9 @@ static void __attribute__ ((constructor))reg()
 			{"dn",				'd', 1, "distinguished name to include as subject"},
 			{"san",				'a', 1, "subjectAltName to include in certificate"},
 			{"lifetime",		'l', 1, "days the certificate is valid, default: 1095"},
+			{"not-before",		'F', 1, "date/time the validity of the cert starts"},
+			{"not-after",		'T', 1, "date/time the validity of the cert ends"},
+			{"dateform",		'D', 1, "strptime(3) input format, default: %d.%m.%y %T"},
 			{"serial",			's', 1, "serial number in hex, default: random"},
 			{"ca",				'b', 0, "include CA basicConstraint, default: no"},
 			{"pathlen",			'p', 1, "set path length constraint"},