diff --git a/server/src/api.rs b/server/src/api.rs
index 52ca446..ddb93e1 100644
--- a/server/src/api.rs
+++ b/server/src/api.rs
@@ -4,7 +4,7 @@ use std::collections::HashMap;
 use std::net::SocketAddr;
 use std::path::{self, PathBuf};
 use std::sync::Arc;
-use std::time::SystemTime;
+use std::time::{SystemTime, UNIX_EPOCH};
 
 use anyhow::Context;
 use axum::body;
@@ -270,7 +270,8 @@ impl From<&Certificate> for CertInfo {
             .valid_before_time()
             .duration_since(cert.valid_after_time())
             .unwrap();
-        let validity_days = validity.as_secs() / ((60 * 60) * 24);
+        let expiry = cert.valid_before_time().checked_add(validity).unwrap();
+        let expiry_date = expiry.duration_since(UNIX_EPOCH).unwrap();
         let host_key = if cert.cert_type().is_host() {
             " -h"
         } else {
@@ -291,9 +292,12 @@ impl From<&Certificate> for CertInfo {
             .join(" ");
         let opts = opts.trim();
         let renew_command = format!(
-            "ssh-keygen -s ./ca_key {host_key} -I {} -n {} -V {validity_days}d {opts} {}.pub",
+            "ssh-keygen -s ./ca_key {host_key} -I {} -n {} -V {:#x}:{:#x} {opts} {}.pub",
             escape(cert.key_id().into()),
-            escape(cert.valid_principals().join(",").into()), escape(cert.key_id().into())
+            escape(cert.valid_principals().join(",").into()),
+            cert.valid_after(),
+            expiry_date.as_secs(),
+            escape(cert.key_id().into())
         );
         CertInfo {
             principals: cert.valid_principals().to_vec(),