diff --git a/lib/hx509/hxtool-commands.in b/lib/hx509/hxtool-commands.in
index fa9b18ed6..01f07689e 100644
--- a/lib/hx509/hxtool-commands.in
+++ b/lib/hx509/hxtool-commands.in
@@ -466,6 +466,11 @@ command = {
 		type = "strings"
 		help = "Type of certificate to issue"
 	}
+	option = {
+		long = "lifetime"
+		type = "string"
+		help = "Lifetime of certificate"
+	}
 	option = {
 		long = "hostname"
 		type = "strings"
diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c
index a7551cd78..659d7afa8 100644
--- a/lib/hx509/hxtool.c
+++ b/lib/hx509/hxtool.c
@@ -36,6 +36,7 @@ RCSID("$Id$");
 
 #include <hxtool-commands.h>
 #include <sl.h>
+#include <parse_time.h>
 
 static hx509_context context;
 
@@ -1215,6 +1216,7 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
     hx509_private_key private_key = NULL;
     hx509_name subject = NULL;
     SubjectPublicKeyInfo spki;
+    int delta = 0;
 
     memset(&spki, 0, sizeof(spki));
 
@@ -1232,6 +1234,12 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
 	    errx(1, "both --req and --ca-private-key used");
     }
 
+    if (opt->lifetime_string) {
+	delta = parse_time(opt->lifetime_string, "day");
+	if (delta < 0)
+	    errx(1, "Invalid lifetime: %s", opt->lifetime_string);
+    }
+
     if (opt->ca_certificate_string) {
 	hx509_query *q;
 
@@ -1341,6 +1349,12 @@ hxtool_ca(struct certificate_sign_options *opt, int argc, char **argv)
 	    hx509_err(context, ret, 1, "hx509_ca_tbs_set_proxy");
     }
 
+    if (delta) {
+	ret = hx509_ca_tbs_set_notAfter_lifetime(context, tbs, delta);
+	if (ret)
+	    hx509_err(context, ret, 1, "hx509_ca_tbs_set_notAfter_lifetime");
+    }	
+
     if (opt->self_signed_flag) {
 	ret = hx509_ca_sign_self(context, tbs, private_key, &cert);
 	if (ret)