diff --git a/config/config.go b/config/config.go
index 438276f69..5c37d15a5 100644
--- a/config/config.go
+++ b/config/config.go
@@ -112,7 +112,7 @@ type SigningProfile struct {
 
 	Policies                    []CertificatePolicy
 	Expiry                      time.Duration
-	Backdate                    time.Duration
+	Backdate                    *time.Duration
 	Provider                    auth.Provider
 	PrevProvider                auth.Provider // to suppport key rotation
 	RemoteProvider              auth.Provider
@@ -210,7 +210,7 @@ func (p *SigningProfile) populate(cfg *Config) error {
 				return cferr.Wrap(cferr.PolicyError, cferr.InvalidPolicy, err)
 			}
 
-			p.Backdate = dur
+			p.Backdate = &dur
 		}
 
 		if !p.NotBefore.IsZero() && !p.NotAfter.IsZero() && p.NotAfter.Before(p.NotBefore) {
diff --git a/initca/initca.go b/initca/initca.go
index 54e051260..8093e6cb0 100644
--- a/initca/initca.go
+++ b/initca/initca.go
@@ -57,7 +57,7 @@ func New(req *csr.CertificateRequest) (cert, csrPEM, key []byte, err error) {
 		}
 
 		if req.CA.Backdate != "" {
-			policy.Default.Backdate, err = time.ParseDuration(req.CA.Backdate)
+			*policy.Default.Backdate, err = time.ParseDuration(req.CA.Backdate)
 			if err != nil {
 				return
 			}
@@ -251,7 +251,7 @@ func Update(ca *x509.Certificate, priv crypto.Signer) (cert []byte, err error) {
 	}
 
 	validity := ca.NotAfter.Sub(ca.NotBefore)
-	copy.NotBefore = time.Now().Round(time.Minute).Add(-5 * time.Minute)
+	copy.NotBefore = time.Now().Round(time.Second)
 	copy.NotAfter = copy.NotBefore.Add(validity)
 	cert, err = x509.CreateCertificate(rand.Reader, copy, copy, priv.Public(), priv)
 	if err != nil {
diff --git a/selfsign/selfsign.go b/selfsign/selfsign.go
index b77d4eb8a..b30b596fd 100644
--- a/selfsign/selfsign.go
+++ b/selfsign/selfsign.go
@@ -117,7 +117,7 @@ func Sign(priv crypto.Signer, csrPEM []byte, profile *config.SigningProfile) ([]
 	}
 
 	template.SerialNumber = serialNumber
-	template.NotBefore = now.Add(-5 * time.Minute).UTC()
+	template.NotBefore = now.Round(time.Second).UTC()
 	template.NotAfter = now.Add(expiry).UTC()
 	template.KeyUsage = ku
 	template.ExtKeyUsage = eku
diff --git a/signer/local/local_test.go b/signer/local/local_test.go
index 1cb36fba1..98a65495e 100644
--- a/signer/local/local_test.go
+++ b/signer/local/local_test.go
@@ -1636,3 +1636,109 @@ func TestLint(t *testing.T) {
 		})
 	}
 }
+
+func TestNotBeforeAndNotAfter(t *testing.T) {
+	csrPEM, err := os.ReadFile(testCSR)
+	if err != nil {
+		t.Fatalf("%v", err)
+	}
+
+	s := newCustomSigner(t, testCaFile, testCaKeyFile)
+
+	expiry, err := time.ParseDuration("1h")
+	if err != nil {
+		t.Fatalf("%v", err)
+	}
+
+	s.policy = &config.Signing{
+		Default: &config.SigningProfile{
+			Usage:        []string{"signing", "key encipherment", "server auth", "client auth"},
+			ExpiryString: expiry.String(),
+			Expiry:       expiry,
+		},
+	}
+
+	request := signer.SignRequest{
+		Request: string(csrPEM),
+	}
+
+	now := time.Now().Round(time.Second).UTC()
+	certPEM, err := s.Sign(request)
+	if err != nil {
+		t.Fatalf("%v", err)
+	}
+
+	cert, err := helpers.ParseCertificatePEM(certPEM)
+	if err != nil {
+		t.Fatalf("%v", err)
+	}
+
+	if !cert.NotBefore.Equal(now) {
+		if cert.NotBefore.Before(now) {
+			t.Fatal("Unexpected NotBefore")
+		}
+	}
+
+	if !cert.NotAfter.Equal(cert.NotBefore.Add(expiry)) {
+		t.Fatal("Unexpected NotAfter")
+	}
+}
+
+func TestNotBeforeAndNotAfterWithBackdate(t *testing.T) {
+	csrPEM, err := os.ReadFile(testCSR)
+	if err != nil {
+		t.Fatalf("%v", err)
+	}
+
+	s := newCustomSigner(t, testCaFile, testCaKeyFile)
+
+	expiry, err := time.ParseDuration("1h")
+	if err != nil {
+		t.Fatalf("%v", err)
+	}
+
+	backdate, err := time.ParseDuration("5m")
+	if err != nil {
+		t.Fatalf("%v", err)
+	}
+
+	s.policy = &config.Signing{
+		Default: &config.SigningProfile{
+			Usage:          []string{"signing", "key encipherment", "server auth", "client auth"},
+			ExpiryString:   expiry.String(),
+			Expiry:         expiry,
+			BackdateString: backdate.String(),
+			Backdate:       &backdate,
+		},
+	}
+
+	request := signer.SignRequest{
+		Request: string(csrPEM),
+	}
+
+	now := time.Now().Round(time.Second).UTC()
+	nowWithBack := now.Add(-1 * backdate)
+	certPEM, err := s.Sign(request)
+	if err != nil {
+		t.Fatalf("%v", err)
+	}
+
+	cert, err := helpers.ParseCertificatePEM(certPEM)
+	if err != nil {
+		t.Fatalf("%v", err)
+	}
+
+	if cert.NotBefore.Equal(now) {
+		t.Fatal("Unexpected NotBefore")
+	} else {
+		if !cert.NotBefore.Equal(nowWithBack) {
+			if cert.NotBefore.Before(nowWithBack) {
+				t.Fatal("Unexpected NotBefore")
+			}
+		}
+	}
+
+	if !cert.NotAfter.Equal(cert.NotBefore.Add(expiry)) {
+		t.Fatal("Unexpected NotAfter")
+	}
+}
diff --git a/signer/signer.go b/signer/signer.go
index d5b1f96f0..4f4370ce7 100644
--- a/signer/signer.go
+++ b/signer/signer.go
@@ -328,12 +328,10 @@ func FillTemplate(template *x509.Certificate, defaultProfile, profile *config.Si
 		if !profile.NotBefore.IsZero() {
 			notBefore = profile.NotBefore
 		} else {
-			if backdate = profile.Backdate; backdate == 0 {
-				backdate = -5 * time.Minute
-			} else {
-				backdate = -1 * profile.Backdate
+			if profile.Backdate != nil {
+				backdate = -1 * (*profile.Backdate)
 			}
-			notBefore = time.Now().Round(time.Minute).Add(backdate)
+			notBefore = time.Now().Round(time.Second).Add(backdate)
 		}
 	}
 	notBefore = notBefore.UTC()