diff --git a/authority/provisioner/jwt.go b/authority/provisioner/jwt.go
index abfad915..43d0998a 100644
--- a/authority/provisioner/jwt.go
+++ b/authority/provisioner/jwt.go
@@ -116,11 +116,8 @@ func (p *JWT) Authorize(token string) ([]SignOption, error) {
 		dnsNamesValidator(dnsNames),
 		ipAddressesValidator(ips),
 		// profileWithOption(x509util.WithNotBeforeAfterDuration(so.NotBefore, so.NotAfter, p.Claims.DefaultTLSCertDuration())),
-		&validityValidator{
-			min: p.Claims.MinTLSCertDuration(),
-			max: p.Claims.MaxTLSCertDuration(),
-		},
 		newProvisionerExtensionOption(TypeJWK, p.Name, p.Key.KeyID),
+		newValidityValidator(p.Claims.MinTLSCertDuration(), p.Claims.MaxTLSCertDuration()),
 	}
 
 	// Store the token to protect against reuse.
diff --git a/authority/provisioner/oidc.go b/authority/provisioner/oidc.go
index a3946ccd..8a692518 100644
--- a/authority/provisioner/oidc.go
+++ b/authority/provisioner/oidc.go
@@ -157,6 +157,7 @@ func (o *OIDC) Authorize(token string) ([]SignOption, error) {
 	return []SignOption{
 		emailOnlyIdentity(claims.Email),
 		newProvisionerExtensionOption(TypeOIDC, o.Name, o.ClientID),
+		newValidityValidator(o.Claims.MinTLSCertDuration(), o.Claims.MaxTLSCertDuration()),
 	}, nil
 }
 
diff --git a/authority/provisioner/sign_options.go b/authority/provisioner/sign_options.go
index 3caa0ed8..ba34c864 100644
--- a/authority/provisioner/sign_options.go
+++ b/authority/provisioner/sign_options.go
@@ -123,6 +123,11 @@ type validityValidator struct {
 	max time.Duration
 }
 
+// newValidityValidator return a new validity validator.
+func newValidityValidator(min, max time.Duration) *validityValidator {
+	return &validityValidator{min: min, max: max}
+}
+
 // Validate validates the certificate temporal validity settings.
 func (v *validityValidator) Valid(crt *x509.Certificate) error {
 	var (