diff --git a/csr/csr.go b/csr/csr.go
index 0ca250994..a39551815 100644
--- a/csr/csr.go
+++ b/csr/csr.go
@@ -18,6 +18,7 @@ import (
 	"net/url"
 	"strconv"
 	"strings"
+	"time"
 
 	cferr "github.com/cloudflare/cfssl/errors"
 	"github.com/cloudflare/cfssl/helpers"
@@ -127,10 +128,12 @@ func (kr *KeyRequest) SigAlgo() x509.SignatureAlgorithm {
 
 // CAConfig is a section used in the requests initialising a new CA.
 type CAConfig struct {
-	PathLength  int    `json:"pathlen" yaml:"pathlen"`
-	PathLenZero bool   `json:"pathlenzero" yaml:"pathlenzero"`
-	Expiry      string `json:"expiry" yaml:"expiry"`
-	Backdate    string `json:"backdate" yaml:"backdate"`
+	PathLength  int       `json:"pathlen" yaml:"pathlen"`
+	PathLenZero bool      `json:"pathlenzero" yaml:"pathlenzero"`
+	Expiry      string    `json:"expiry" yaml:"expiry"`
+	Backdate    string    `json:"backdate" yaml:"backdate"`
+	NotBefore   time.Time `json:"not_before" yaml:"not_before"`
+	NotAfter    time.Time `json:"not_after" yaml:"not_after"`
 }
 
 // A CertificateRequest encapsulates the API interface to the
diff --git a/initca/initca.go b/initca/initca.go
index 40a608502..db5bfa904 100644
--- a/initca/initca.go
+++ b/initca/initca.go
@@ -93,7 +93,12 @@ func New(req *csr.CertificateRequest) (cert, csrPEM, key []byte, err error) {
 		return
 	}
 
-	signReq := signer.SignRequest{Hosts: req.Hosts, Request: string(csrPEM)}
+	signReq := signer.SignRequest{
+		Hosts:     req.Hosts,
+		Request:   string(csrPEM),
+		NotBefore: req.CA.NotBefore,
+		NotAfter:  req.CA.NotAfter,
+	}
 	cert, err = s.Sign(signReq)
 
 	return