From f06db4099e43cfe939456b34b3ec53b931434f23 Mon Sep 17 00:00:00 2001
From: Mariano Cano <mariano@smallstep.com>
Date: Fri, 3 Jan 2020 18:30:17 -0800
Subject: [PATCH] Add backdate support on ssh rekey.

---
 authority/ssh.go | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/authority/ssh.go b/authority/ssh.go
index e5b2955a..cfd5ed37 100644
--- a/authority/ssh.go
+++ b/authority/ssh.go
@@ -496,9 +496,12 @@ func (a *Authority) RekeySSH(oldCert *ssh.Certificate, pub ssh.PublicKey, signOp
 	if oldCert.ValidAfter == 0 || oldCert.ValidBefore == 0 {
 		return nil, errors.New("rekeySSH: cannot rekey certificate without validity period")
 	}
-	dur := time.Duration(oldCert.ValidBefore-oldCert.ValidAfter) * time.Second
-	va := time.Now()
-	vb := va.Add(dur)
+
+	backdate := a.config.AuthorityConfig.Backdate.Duration
+	duration := time.Duration(oldCert.ValidBefore-oldCert.ValidAfter) * time.Second
+	now := time.Now()
+	va := now.Add(-1 * backdate)
+	vb := now.Add(duration - backdate)
 
 	// Build base certificate with the key and some random values
 	cert := &ssh.Certificate{