Truncate to seconds to avoid rounding up times.

It can cause that certs are not valid yet, if they are used right away.

authority/provisioner/sign_ssh_options.go

@@ -216,7 +216,7 @@ func (m *sshCertificateValidityModifier) Modify(cert *ssh.Certificate) error {
 	}
 
 	if cert.ValidAfter == 0 {
-		cert.ValidAfter = uint64(now().Add(-1 * time.Minute).Unix())
+		cert.ValidAfter = uint64(now().Truncate(time.Second).Unix())
 	}
 	if cert.ValidBefore == 0 {
 		t := time.Unix(int64(cert.ValidAfter), 0)