We want the time that a keyset was set, not the time it was replaced.

lib/hdb/hdb.asn1

@@ -89,7 +89,7 @@ HDB-Ext-Aliases ::= SEQUENCE {
 
 hdb_keyset ::= SEQUENCE {
 	kvno[0]		INTEGER (0..4294967295),
-	replace-time[1]	KerberosTime,	-- time this key was replaced
+	set-time[1]	KerberosTime,	-- time this key was created/set
 	keys[2]		SEQUENCE OF Key
 }
 

lib/hdb/keys.c

@@ -247,7 +247,7 @@ hdb_add_current_keys_to_history(krb5_context context, hdb_entry *entry)
     hist_keys->val[0].keys.val = entry->keys.val;
     hist_keys->val[0].keys.len = entry->keys.len;
     hist_keys->val[0].kvno = entry->kvno;
-    hist_keys->val[0].replace_time = time(NULL);
+    (void) hdb_entry_get_pw_change_time(entry, &hist_keys->val[0].set_time);
 
     if (add) {
 	ret = hdb_replace_extension(context, entry, ext);

lib/hdb/mkey.c

@@ -549,7 +549,7 @@ hdb_unseal_keys_kvno(krb5_context context, HDB *db, krb5_kvno kvno,
 	tmp_keys[0].keys.len = ent->keys.len;
 	tmp_keys[0].keys.val = ent->keys.val;
 	tmp_keys[0].kvno = ent->kvno;
-	tmp_keys[0].replace_time = time(NULL);
+	(void) hdb_entry_get_pw_change_time(ent, &tmp_keys[0].set_time);
 	i++;
 	ent->keys.len = hist_keys->val[i].keys.len;
 	ent->keys.val = hist_keys->val[i].keys.val;

lib/hdb/test_hdbkeys.c

@@ -88,7 +88,7 @@ main(int argc, char **argv)
     memset(&keyset, 0, sizeof(keyset));
 
     keyset.kvno = kvno_integer;
-    keyset.replace_time = time(NULL);
+    keyset.set_time = time(NULL);
 
     ret = hdb_generate_key_set_password(context, principal, password_str,
 					&keyset.keys.val, &len);